Re-Blog from HERE
TCPDUMP expressions are also known as BPF, or Berkeley Packet Filters. On a TCPDUMP command line they should always be placed inside single quotes (UNIX) or double quotes (Windows).
Expressions
- tcpdump
host profl
- dumps all packets to or from host profl
- tcpdump
ether host 11:22:33:44:55:66
- dumps all packets to or from that MAC address
- tcpdump
net 192.168.12.4/30
- dumps all packets to or from a network, specified using CIDR notation
- tcpdump
net 192.168.12.4 mask 255.255.255.252
- dumps all packets to or from a network, specified using a mask
- tcpdump
tcp src port 53
- dumps all packets with source port 22/tcp
- tcpdump
udp and (src port 161 or 162 or 514)
- Looks for SYSLOG or SNMP packets being received
- tcpdump
host {thisIP}
- Show only IP traffic to or from thisIP
- tcpdump
host {thisIP} && host {thatIP}
- Show only IP traffic between thisIP and thatIP
- tcpdump
!(host {myIP}) && {remainder of expression}
- Ignore traffic from myIP (necessary if you're running TCPDUMP on a remote machine to stop it from capturing the terminal session with your machine)
Primitives
- icmp[0]
- Show only echo reply
- tcp[13] & 3 != 0
tcp[tcpflags] & (tcp-syn | tcp-fin) != 0 - show only SYN or FIN packets
- tcp[13] & 0x12 != 0
tcp[tcpflags] & (tcp-syn & tcp-ack) != 0 - show only SYN/ACK packets
- ip[2,2] > 576
- show only packets longer than 576 bytes
- icmp[0] = 3 and icmp[1] = 4
- Show ICMP type 3, code 4 (Needs fragmenting but DF bit set)
- ip[6] & 0x40 = 0x40
- Show only IP packets with DF bit set
- vlan && ip
- Show only IEEE 802.1q IP packets. Changes the decoding offsets for the remainder of the expression, as if the VLAN header had been stripped away.
- vlan 186 && ip
- Show only IP packets in IEEE 802.1q VLAN number 186.
- ip proto 50
- Show only ESP packets (IP protocol 50)
- ip proto 112
- show only VRRP packets (IP protocol 112)
- proto vrrp
- all VRRP packets (works on IPSO)
Assorted
Goal is to setup a PDC with a small group of computers for SSO ability and the possibility of pushing out a few configurations and perhaps printers.
Established this environment in a VM on a local network as to not impact any form of prodcution.
Rough Steps:
Install and configure samba.
Join machines into the domain.
Enjoy.
Install and configure samba.
yum install samba
vim /etc/samba/smb.conf
[global]
workgroup = AWESOME_DOMAIN
server string = Samba Server Version %v
netbios name = ServerName
hosts allow = 127. 192.168.56. 192.168.0.
log file = /var/log/samba/log.%m
max log size = 50
security = user
passdb backend = tdbsam
password server = *
domain master = yes
domain logons = yes
add user script = /usr/sbin/useradd "%u" -n -g users
add group script = /usr/sbin/groupadd "%g"
add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
delete user script = /usr/sbin/userdel "%u"
delete user from group script = /usr/sbin/userdel "%u" "%g"
delete group script = /usr/sbin/groupdel "%g"
local master = yes
os level = 33
preferred master = yes
wins support = yes
dns proxy = no
[homes]
comment = Home Directories
browseable = no
writable = yes
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
share modes = no
smbpasswd -a root
smbpasswd -a <a user on the local system>
chkconfig smb on
chkconfig nmb on
service smb start
service nmb start
Set the window Admin password just to be safe.
Add the "domain" users into an appropriate windows group a local admin.
On the windows client join the domain as root.
Test login with "domain" user.
Configure the firewall to allow SMB connections.
#Allow Samba File Services
-A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137 -j ACCEPT
-A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.1.0/24 --dport 139 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.1.0/24 --dport 445 -j ACCEPT
Reboot client and server to verify
Hardware and ASCII art:
In ports... (10,11*,12,15*) *=inverted
Out ports... (2-9)
Grounds (18,19,20,21,22,23,24,25)
<= in DB25 Cent Name of RegSummary:
=> out pin pin Signal Bit Function Notes
------ ---- ---- -------- --- -----------------------------
=> 1 1 -Strobe C0- Set Low pulse >0.5 us to send
=> 2 2 Data 0 D0 Set to least significant data
=> 3 3 Data 1 D1 ...
=> 4 4 Data 2 D2 ...
=> 5 5 Data 3 D3 ...
=> 6 6 Data 4 D4 ...
=> 7 7 Data 5 D5 ...
=> 8 8 Data 6 D6 ...
=> 9 9 Data 7 D7 Set to most significant data
<= 10 10 -Ack S6+ IRQ Low Pulse ~ 5 uS, after accept
<= 11 11 +Busy S7- High for Busy/Offline/Error
<= 12 12 +PaperEnd S5+ High for out of paper
<= 13 13 +SelectIn S4+ High for printerSom selected
=> 14 14 -AutoFd C1- Set Low to autofeed one line
<= 15 32 -Error S3+ Low for Error/Offline/PaperEnd
=> 16 31 -Init C2+ Set Low pulse > 50uS to init
=> 17 36 -Select C3- Set Low to select printer
== 18-25 19-30, Ground
In ports... (10,11*,12,15*) *=inverted
Out ports... (2-9)
Grounds (18,19,20,21,22,23,24,25)
From the back of the computer ---
|
v
____________________________________________________________
/ \
\ 13 12 11 10 9 8 7 6 5 4 3 2 1 /
\ /
\ 25 24 23 22 21 20 19 18 17 16 15 14 /
\______________________________________________________/
We know the hardware now to the software:
Send and recieve values to and from the paralle port via this [quick and dirty] code compile under linux wth "gcc lpr_out.c -o lpr_out". You will need to run this code as root b/c of ioperm(): or play with mode of your lpt port.
Kernel 2.6.x Series (when, or if, re-compiling don't forge these):
Device Drivers --->
Parallel port support --->
<*> Parallel port support
<*> PC-style hardware
<*> Multi-IO cards (parallel and serial)
[*] Use FIFO/DMA if available (EXPERIMENTAL)
[*] SuperIO chipset support (EXPERIMENTAL)
[*] Support foreign hardware
[*] IEEE 1284 transfer modes
#include <stdio.h>Use by lpr_out [0-255] (0 = all off, 255 = all on)
#include <stdlib.h>
#include <unistd.h>
#include <asm/io.h>
#define base 0x378 /* printer port base address */
#define value 255 /* numeric value to send to printer port */
main(int argc, char **argv)
{
int pin_numbers = atoi(argv[1]); /* translate the keyinput from argv */
if (ioperm(base,1,1))
fprintf(stderr, "Couldn't get the port at %x\n", base), exit(1);
outb(pin_numbers, base);
printf("output pins have a value of: %d\n",pin_numbers);
printf("input pins have a value of: %d\n",inb(base+1));
}
Pin 2 3 4 5 6 7 8 9(e.g. to turn on pin 2 and pin 5, just add the value of pin 2 (1) to the value of pin 5 (8) final value of (9))
Value 1 2 4 8 16 32 64 128
Kernel 2.6.x Series (when, or if, re-compiling don't forge these):
Device Drivers --->
Parallel port support --->
<*> Parallel port support
<*> PC-style hardware
<*> Multi-IO cards (parallel and serial)
[*] Use FIFO/DMA if available (EXPERIMENTAL)
[*] SuperIO chipset support (EXPERIMENTAL)
[*] Support foreign hardware
[*] IEEE 1284 transfer modes
Combine this with a bit of python or php and you have quick n easy web enabled I/O to a parallel port. Think robot / home automation / world control! ;-)
Upgrade was rather painless.
Build new server.
Tar up necessary files
Move Database
Follow instructions on MT's website.
Test Successful...
for i in {1..4}; do dd if=/dev/sda$i conv=sync bs=1M | gzip > /blah/partition$i.img; done && dd if=/dev/sda of=/blah/bootsector.img bs=512 count=1
An example of how to go from Linux to vfat
( mkdosfs -s 8 -F 32 /dev/sdb5 ) 4kB block size
mount -t vfat -o shortname=mixed,iocharset=utf8 /dev/sda1 /mnt
rsync --modify-window=1 -rtv --delete /data/mp3/ /mnt/mp3
Growing a software RAID (re-visited)
Rough Notes:
(clone partition table)
sfdisk -d /dev/hdc | sfdisk /dev/hdd
Add in an extra spare for /dev/md0 ( "boot" - /boot )
mdadm /dev/md0 -a /dev/hdd1
Add in an extra spare for /dev/hdd2 ( "root" - / ) and then grow it.
mdadm /dev/md2 -a /dev/hdd3
mdadm /dev/md2 --grow --raid-devices=4
[root@landfill ~]# cat /proc/mdstat
Personalities : [raid6] [raid5] [raid4] [raid0] [raid1]
md0 : active raid1 hdd1[3](S) hdc1[2](S) hdb1[1] hda1[0]
104320 blocks [2/2] [UU]
md1 : active raid0 hdc2[2] hdb2[1] hda2[0]
1565952 blocks 256k chunks
md2 : active raid5 hdd3[3] hdc3[2] hdb3[1] hda3[0]
780164096 blocks super 0.91 level 5, 256k chunk, algorithm 2 [4/4] [UUUU]
[=>...................] reshape = 7.6% (29664512/390082048) finish=1653.2min speed=3630K/sec
unused devices: <none>
After much waiting and a reboot into single user (can be done online if not mistaken).
fsck.ext3 /dev/md2
resize2fs /dev/md2
resize2fs /dev/md2
(RAID - 1) /boot is /dev/md0 (two spares 4 elements total)
(RAID - 0) swap is /dev/md1 (EDIT: This does not work. Use "raw" swap partitions.)
(RAID - 5) / is /dev/md2 (4 elements)
Serial terminal setup:
On the server you wish to enable serial console:
Determine the tty
[root@localhost ~]# dmesg | grep ttyserial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A00:08: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A00:09: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A
Set kernel parameter for console enabled at boot:
kernel /vmlinuz-2.6.18-194.el5 ro root=/dev/hda1 console=ttyS0,38400
Edit /etc/inittab and add the line:
s0:2345:respawn:/sbin/agetty -L -f /etc/issueserial 38400 ttyS0 vt100
On the workstation or server you wish to observe from:
yum install screen
determine the tty
screen /dev/ttyS0 38400
Requirements:
RHEL / CENT / Fedora
Two NICs
dnsmasq
firewall script and tweaks to sysctl.conf
squid (optional)
eth0 and eth1
eth0 = WAN / Internet / External interface (192.168.1.0/24).
eth1 = LAN / Private Net / Local network (192.168.0.0/24).
dnsmasq:
yum install dnsmasq
[root@forgeman ~]# cat /etc/dnsmasq.conf | grep -v \# | grep -v ^$
interface=eth1
dhcp-range=192.168.0.50,192.168.0.150,12h
chkconfig dnsmasq on
sysctl.conf tweaks:
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
Firewall Script:
[root@forgeman ~]# cat myiptables.sh
#/bin/sh
WAN="eth0"
LAN="eth1"
# Delete and flush. Default table is "filter". Others like "nat" must be explicitly stated
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
## Trust your LAN
iptables -I INPUT -i $LAN -j ACCEPT
iptables -I INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
## Set up IP FORWARDing and Masquerading
iptables -A INPUT -i $WAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface $WAN -j MASQUERADE
iptables --append FORWARD --in-interface $LAN -j ACCEPT
iptables -A INPUT -i $LAN -j ACCEPT
iptables -A OUTPUT -o $LAN -j ACCEPT
Squid optional:
yum install squid
[root@forgeman ~]# cat /etc/squid/squid.conf | grep -v \# | grep -v ^$
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl our_networks src 192.168.1.0/24 192.168.0.0/24
http_access allow our_networks
http_access allow localhost
http_access deny all
icp_access allow all
http_port 3128
hierarchy_stoplist cgi-bin ?
cache_dir ufs /var/spool/squid 500 16 256
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
visible_hostname localhost.localdomain.oops
coredump_dir /var/spool/squid
