Skip to content

Operational Commands Reference

This document provides a repository of useful commands for managing, troubleshooting, and interacting with the nodes in the VNTD laboratory.

Container Management

These commands are executed from the host machine to control the virtual environment.

  • View Device Logs: Check the output and initialization errors for a specific node: 

    docker logs clab-virtual-env-internal-server

  • Connect to a Device: Open a terminal inside a running node: 

    docker exec -it clab-virtual-env-pc-vlan50-1 bash

Services

To view the services running on a concrete device, use:

service --status-all

ps aux

Traffic Inspection Tools

tcpdump

Use tcpdump to capture and analyze packets on a specific interface. This is critical for validating that the DHCP Relay or Firewall is forwarding traffic correctly.

  • Monitor DHCP Traffic: In which port is the physical port to analyze. For this example, DHCP traffic can be viewed to detect any possible related issues given changes are made and the service is no longer working as intended.
tcpdump -i <port> -f 'port 67 or port 68'

Connectivity and Web Verification

Test if web services are reachable and serving content through the network policies.

Web Service Check

# Internal DMZ Website
curl http://enterprise.local

# External ISP Website
curl http://internet.com

Expected output: "Hello from Nginx on the web server"

DHCP Troubleshooting

To request an IP address again from a client device with access to the DHCP server:

dhcpcd -4 -d eth1

DNS Troubleshooting

Tools to verify the name resolution service between the enterprise network and the internet.

DNS Infrastructure

Zone DNS Known IP Addresses
Internal DNS 192.168.10.10, 192.168.40.10
External DNS 172.16.100.100, 172.16.30.2

Resolution Diagnostic Tools

# Which DNS to query
cat /etc/resolv.conf

# Query DNS records for a specific name
nslookup enterprise.local
nslookup 192.168.10.10

# More structured and detailed output
dig www.enterprise.local

Example Output

pc_enterprise:/# nslookup enterprise.local
Server:     192.168.10.10
Address:    192.168.10.10#53

Name:   enterprise.local
Address: 192.168.10.10

pc_enterprise:/# nslookup enterprise.com
Server:     192.168.10.10
Address:    192.168.10.10#53

Name:   enterprise.com
Address: 192.168.10.10

pc_enterprise:/# nslookup internet.com
Server:     192.168.10.10
Address:    192.168.10.10#53

Name:   internet.com
Address: 172.16.100.100

Mutt

End-user systems use the Mutt mail client for sending and retrieving emails.

  • Launch: Type in the terminal: 
    mutt
  • Editor Usage: When setting up mail, use the built-in editor. To start writing use the i button. To save changes and exit the editor, use the command :wq.
  • Note: The client does not detect new emails in real-time. You must exit and restart the program to refresh the inbox.

WORKING ON THIS:

tcpdump -i eth1 icmp -nn

Testing suricata configuration: suricata -T -c /etc/suricata/suricata.yaml

To see the suricata logs perfectly: docker logs -f clab-virtual-env-ids docker logs -f clab-virtual-env-logwatch

View the logs data as it grows docker exec -it clab-virtual-env-ids tail -f /var/log/suricata/eve.json tail -f /var/log/suricata/eve.json

View the logs that only contain certain words: docker logs -f clab-virtual-env-ids 2>&1 | grep -Ei 'elastic|filebeat|elasticsearch|kibana'

Health: curl http://192.168.20.11:9200/_cluster/health?pretty

See machines usage cponsumption: docker stats

curl -s http://localhost:5066/stats

curl -s "http://192.168.20.11:9200/_cat/indices?v" curl -X GET "http://192.168.20.11:9200/_cat/indices?v" curl -X GET "http://192.168.20.11:9200/_cat/shards?v" curl 192.168.20.11:9200/_cat/indices?v curl 192.168.20.11:9200/_data_stream?pretty

All traffic: tcpdump -i eth1 -nn

Suricata logs: tail -f /var/log/suricata/suricata.log

docker stats

new token? /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana

generate encrypotion keys: marc@marc-VMware-Virtual-Platform:~/Documents/containerlab/virtual-network-threat-detection$ openssl rand -hex 32 030e45276c3281853828085982ad1a2bfb6135938eb75fbc565180bed971a3ff marc@marc-VMware-Virtual-Platform:~/Documents/containerlab/virtual-network-threat-detection$ openssl rand -hex 32 ad421a81cf29bc36cf62900a8123657600732d2ddf0ed0b685975e9cba9ef366 marc@marc-VMware-Virtual-Platform:~/Documents/containerlab/virtual-network-threat-detection$ openssl rand -hex 32 b94ff7ec329b719a062f78feb7fd5b6d2259caa4e87718fd7a61002fa62973ea marc@marc-VMware-Virtual-Platform:~/Documents/containerlab/virtual-network-threat-detection$

Server check service when attacking

netstat -ant | grep :80 | wc -l htop -> not installed xd ss -s ?????

Check from client constantly (nice for DoS SYN flood) while true; do curl -s enterprise.com; sleep 5; done

From suricata i'll need: Flow metadata Timing Bytes Ports Protocol Flags DNS queries HTTP hostnames TLS fingerprints