Configuring routing table running on Linux Machine

Monitoring traffic for "network addresses" within the context of a "routing table" on a machine typically involves analyzing how packets are routed through the network and identifying specific traffic patterns for certain network addresses or subnets. Below are the key methods and tools to monitor such traffic:

1. Inspecting the Routing Table
   • The routing table itself helps determine where packets destined for specific network addresses will be sent. On Linux, you can inspect the routing table with:
   • ip route show
   • route -n (deprecated in newer Linux versions but still available)
   • Look for entries that match specific subnets or default routes to ensure packets are being sent correctly.
2. Monitoring Network Traffic Using Tools
   • Monitoring tools help capture and analyze network traffic to or from specific network addresses. Some popular tools include:
   • tcpdump
     • A command-line packet analyzer that allows you to capture and inspect traffic.
     • Example to monitor traffic for a specific network address:

     sudo tcpdump host 192.168.1.1

     • To capture traffic for a subnet:

     sudo tcpdump net 192.168.1.0/24

   • Wireshark
     • A graphical tool for analyzing network traffic in-depth.
     • Apply filters to capture traffic for a specific network or subnet:

     ip.addr == 192.168.1.1

     • Wireshark provides advanced filtering and visualization of traffic data.
   • nload
     • A command-line tool to monitor incoming and outgoing traffic on specific interfaces.
     • Helps identify general traffic trends without detailed packet analysis.
   • iftop
     • Provides a real-time view of network traffic sorted by IP addresses or subnets.
     • Launch it for a specific interface to see traffic flow:

     sudo iftop -i eth0

3. Netfilter and iptables/nftables
   • Use Linux's iptables or nftables to log traffic to specific network addresses or ranges.
   • Example with iptables to log all packets destined for a network:

   sudo iptables -A OUTPUT -d 192.168.1.0/24 -j LOG --log-prefix "Traffic to subnet: "

   • Logs will appear in /var/log/syslog or /var/log/messages.
4. Traffic Analysis with NetFlow or sFlow
   • Use NetFlow (Cisco) or sFlow to gather flow-based traffic data for the entire network.
   • Flow data provides aggregated insights into traffic patterns, including:
   • Source and destination IPs
   • Traffic volumes
   • Protocol usage
   • Tools to analyze flow data:
   • nfdump (NetFlow analyzer)
   • sFlowTool (sFlow analyzer)
5. System Logs and Monitoring Solutions
   • Leverage centralized logging tools like:
   • Syslog for traffic-related logs
   • ELK Stack (Elasticsearch, Logstash, Kibana) to analyze logs
   • Use advanced monitoring systems like Nagios, Zabbix, or Prometheus to set up alerts and dashboards.

Example Workflow for Monitoring a Subnet:

1. Check the Routing Table:
   

   ip route show
   

   
   Verify the correct route exists for the subnet (e.g., 192.168.1.0/24).
2. Capture Traffic with tcpdump:
   

   sudo tcpdump net 192.168.1.0/24
   

3. Analyze in Real Time with iftop:
   

   sudo iftop -i eth0
   

4. Log Traffic Using iptables:

   sudo iptables -A INPUT -s 192.168.1.0/24 -j LOG --log-prefix "Incoming traffic: "
   

5. Visualize Using Wireshark or ELK:
   • Filter for the subnet and analyze traffic patterns.

By combining these tools and techniques, you can effectively monitor traffic for specific network addresses and ensure proper routing and network performance.

Assuming an already configured machine named isolde, let uslook at the IP addressing and routing table. Next we will examine how the machine communicates with computers (hosts) on the locally reachable network. We will then send packets through our default gateway to other networks. After learning what a default route is, we will look at a static route.
One of the first things to learn about a machine attached to an IP network is its IP address. We will begin by looking at a machine named isolde on the main desktop network (192.168.99.0/24). The machine isolde is alive on IP 192.168.99.35 and has been properly configured by the system administrator. By examining the route and ifconfig output we can learn a good deal about the network to which isolde is connected.

• Solaris: On Solaris, use the command netstat -nr to dump the routing table. The output is nearly identical to the output of the route command used on Linux. The routing table gives a list of potential destinations, and for each destination, the IP address of a gateway^[1]. Information intended for one of the listed destinations is sent to the specified gateway. We are assuming that this machine is on a local network with only one gateway (this is a typical situation), so any traffic not for the local network should be directed to that gateway. The only entry in the routing table that needs to be set is the default route, because the local route is set automatically by the ifconfig command. To set the default route, use:
  

  host# /sbin/route add default gw [address]
  

  
  The route command may also be used to delete a route:

  host# /sbin/route del [ address ]
  

  
  The link below contains additional information regarding linux routing commands.
  
• Linux Routing Commmands:
  1. You are logged on with normal user permissions, and you are in the /home/user1 directory.
     Your systems administrator has updated the system PATH value to allow you to use the route command. You are going to work with the routing table in order to further understand the significance of a properly configured routing table.
     Your IP address is 192.168.199.34. You are therefore on the 192.168.199.0 network. Issue the proper command to inspect your routing table.
     Solution: route
  2. According to the readout, your default gateway is 192.168.199.1. You can see this by viewing the entry that says default Then, look for the entry beneath “Gateway”. The default gateway is listed here (192.168.199.1). Send four ping packets to your default gateway.
     Solution:
     

     ping -c 4 192.168.199.1
     

  3. You now know that you can access your default gateway. Assert root privileges so that you can work with your routing table.
     Solution: su
  4. Use rootpass as your password.
  5. Now that you have root privileges, you can experiment with the routing table to further understand the consequences of a misconfigured routing table. Delete the default gateway entry. Hint: Your command will involve the use of the word “default.”
     Solution: route del default
  6. One of the many systems on your subnet has the IP address of 192.168.199.129. Issue four ping packets to see if you can still reach this system.
     Solution: ping -c 4 192.168.199.129
  7. Notice that you can still connect to this system, even though you have deleted the default gateway from your system's routing table. This is because the system exists on the same subnet, and does not require a default gateway. Now, check to see if you can ping another host on another subnet.For example, the Acme Web server is on another subnet. Ping the host at www.acmecorp.com four times.
     Solution: ping -c 4 www.acmecorp.com
  8. Note that you have not been able to issue this query, because the Acme Web server exists on a different subnet. In order to send messages to this Web server, you require a router to intercede for you. It is possible, however, that your DNS server may be down. This means that even though you may still have a default gateway, your DNS server will not be able to provide name-to-IP-address resolution. To troubleshoot your connectivity, use ping to query the Acme Web server by its IP address (216.32.118.210). Send the server two ping packets.
     Solution: ping -c 2 216.32.118.210
  9. The attempt has failed, confirming your understanding of the routing table. The problem is not with DNS. It is with your routing table. Now, issue a command that creates a new default entry for your default gateway.
     Solution: route add default gw 192.168.199.1
  10. Your interface has a default gateway, again. Test your connectivity by pinging the Acme Web server again twice. Use the following command: ping -c 2 www.acmecorp.com.
      Solution: ping -c 2 www.acmecorp.com

How do I configure Routing command in Solaris?