Eric Radman : a Journal

BSD: Networking Included

These are some every-day techniques that I use to get stuff done.

BSD Kernels track Duplicate IPs

The BSD kernels keep track of MAC-IP resolutions, and will log any changes. It's a good habit to check this after plugging your own laptop into a network. More than once I have plugged my Thinkpad into a network and broken some service because their DHCP server gave me an address that was already used.

$ dmesg
duplicate IP address sent from ethernet address 00:13:72:a7:ff:14
duplicate IP address sent from ethernet address 00:13:72:a7:ff:14
duplicate IP address sent from ethernet address 00:13:72:a7:f9:04
duplicate IP address sent from ethernet address 00:13:72:a7:f9:04

Run Daemons as Foreground Processes

Most BSD network daemon can be run in the foreground, which not only gives you the ability to easily test a service again, but you may notice oddities immediately. Below is an example of a site that was configured with two competing DHCP servers.

$ doas dhclient -d fxp0
DHCPREQUEST on fxp0 to port 67
DHCPDISCOVER on fxp0 to port 67 interval 7
DHCPREQUEST on fxp0 to port 67
bound to -- renewal in 345600 seconds.

Resolve Common Ports

/etc/services is a handy reference for common protocols.

$ grep 138 /etc/services
netbios-dgm     138/tcp                         # NETBIOS Datagram Service
netbios-dgm     138/udp

I also sometimes document an assignment by defining in /etc/services, so that I know what port is used, especially on proprietary systems.

coral     11001/tcp  # Coral PBX management with CUGW

Quickly Find Proxy-Arp

This is insane; sometimes home-office routers are installed that have proxy-ARP enabled by default!(Linksys VPN routers come to mind.) A quick look at the ARP table will show this.

$ arp -a
? ( at 00:0c:6e:41:e1:56 on xl2
? ( at 00:0c:6e:41:e1:56 on xl2
? ( at 00:0c:6e:41:e1:56 on xl2
? ( at 00:0c:6e:41:e1:56 on xl2
? ( at 00:0c:6e:41:e1:56 on xl2
? ( at 00:0c:6e:41:e1:56 on xl2
? ( at 00:50:ba:58:9e:64 on xl1
? ( at 00:11:09:c5:cb:8b on xl1
? ( at 00:13:72:d3:da:94 on xl1
? ( at 00:0a:6b:00:a5:8b on xl1

Finding the Gateway

Most ARP requests will come from the gateway on a given subnet. The volume of requests make it easy to find the gateway.

$ doas tcpdump -n arp
tcpdump: listening on rl0, link-type EN10MB
20:20:13.080158 arp who-has tell
20:20:18.584708 arp who-has tell
20:20:24.931355 arp who-has tell
20:20:25.955077 arp who-has tell
20:20:31.955179 arp who-has tell

Log Traffic Between two Devices

If you can't get a hub in-between two points or a switch that support port mirroring a second NIC in a laptop can be set up as a bridge between two points so that full network trace can be captured. In my T30 fxp0 is a built-in network card, and dc0 is a Xircom combo in my PCCard slot.

ifconfig fxp0 up
ifconfig dc0 up
ifconfig bridge0 up
brconfig bridge0 add fxp0
brconfig bridge0 add dc0
$ doas brconfig
bridge0: flags=41<UP,RUNNING>
        priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
        dc0 flags=3<LEARNING,DISCOVER>
                port 5 ifpriority 0 ifcost 0
        fxp0 flags=3<LEARNING,DISCOVER>
                port 2 ifpriority 0 ifcost 0
        Addresses (max cache: 100, timeout: 240):

Now I can log everything with snort

$ doas snort -l ./

or tcpdump

$ doas tcpdump -w file -i ath0
tcpdump: listening on ath0, link-type EN10MB
1557 packets received by filter
0 packets dropped by kernel

$ doas tcpdump -r file icmp

With a capture on file comparisons are possible between different samples in time and maybe even match up a flow with a specific event that you learn of from others there.

Double-Check Subnet Masks

Even after setting up networks for a while it's not hard to make a mistake in calculating subnets, so an IP calculator is a handy way to check yourself. It can be installed from ports under net/ipcalc

$ ipcalc
address   :
netmask   : (0xfffffff0)
network   :     /28
broadcast :
host min  :
host max  :
hosts/net : 14

Check File Integrity

A router can corrupt a data stream. This is rare, but when transferring files I've demonstrated that a Cisco 3640 can corrupt the payload of TCP packets. Armed with md5 you may catch some tricky glitches in hardware or software.

$ md5
MD5 ( = 0f155c2bd57bbba564c899da50504ce5
$ ftp
Requesting (via
100% |**************************************************|  3090 KB    00:20
Successfully retrieved file.

$ md5
MD5 ( = 0f155c2bd57bbba564c899da50504ce5

Simply comparing file sizes is not a good method of testing the validity of a trasmission.

Routing Loops

Finding routing loops is not an advanced topic and does not require a specialized set of tools. Thanks to tcpdump you can check for this anywhere by watching the ttl values. Here we have a switching loop (duplicate packets) and a routing loop (TTL moving to 0) on the same LAN.

$ doas tcpdump -i fxp0 port 445
14:02:25.944847 IP (tos 0x0, ttl   8, id 15937, offset 0, flags [DF], =
proto: TCP (6), length: 79) > P, =
cksum 0xd6dd (correct), 0:39(39) ack 1 win 16529
14:02:25.944861 IP (tos 0x0, ttl   7, id 15937, offset 0, flags [DF], =
proto: TCP (6), length: 79) > P, =
cksum 0xd6dd (correct), 0:39(39) ack 1 win 16529
14:02:25.944985 IP (tos 0x0, ttl   8, id 15937, offset 0, flags [DF], =
proto: TCP (6), length: 79) > P, =
cksum 0xd6dd (correct), 0:39(39) ack 1 win 16529

Many times this can be caused by servers with IP forwarding enabled. Test a suspect by trying to route packets through the suspect.

$ doas route delete default
$ doas route add default
$ ping

TFTP is Standard

It's good to be in the habit of copying off configuration of routers and switches before you modify them, and so that you have a backup.

# /etc/inetd.conf
tftp dgram udp  wait root /usr/libexec/tftpd  tftpd -s /tftpboot
tftp dgram udp6 wait root /usr/libexec/tftpd  tftpd -s /tftpboot

I link the TFTP folder /tftpboot to my home directory. The important thing is thatinetdhave write permission to the file you want to copy to.

$ ls -l /tftpboot
lrwxr-xr-x  1 root  wheel  18 Dec 14 03:19 /tftpboot -> /home/eradman/tftp
$ touch ~/tftp/PIX515-GATEWAY
$ chmod 666 ~/tftp/PIX515-GATEWAY

Log Everything in tmux(1)

tmux doesn't provide a built-in shortcut for logging the output of a session, but it can be easily toggled by adding shortcuts to .tmux.conf

bind-key H pipe-pane &quot;exec cat >>$HOME/'#W-tmux.log'&quot; \;
    display-message 'Started logging to $HOME/#W-tmux.log'
bind-key h pipe-pane \;
    display-message 'Ended logging to $HOME/#W-tmux.log'

Domain Internet Groper

host gives you need to know now

$ host has address has IPv6 address 2001:470:1f00:297:a00:20ff:fe9e:b3e1 mail is handled by 10

And dig provides a flexible interface for searching DNS

$ dig @ ns +short

Use -x to look up reverse lookups.

Find Manufacturer of Device

First get . The first six octets are the manufacturer of a particular NIC, so if you know the address of the offending device you may be able to tell what kind of device it's in.

$ arp -an | sed 's/:/-/g'
? ( at 00-01-03-e9-c2-b2 on xl2 static

$ grep -i 00-01-03 ~/documents/oui.txt
00-01-03   (hex)                3COM CORPORATION

nmap does this automatically.

Searching for Wireless Networks

OpenBSD's ifconfig(8) completely unifies configuration of various network cards, including wireless adaptors. To scan the SSIDs visible to your laptop use the scan parameter

$ doas ifconfig wpi0 scan
        lladdr 00:1b:77:11:10:c5
        priority: 4
        groups: wlan egress
        media: IEEE802.11 autoselect (OFDM54 mode 11g)
        status: active
        ieee80211: nwid 0024A5B3D55F chan 1 bssid 00:24:a5:b3:d5:5f 63dB ...
                nwid 0x00 chan 11 bssid 00:1d:a2:84:cd:30 62dB 54M ...
                nwid guest chan 11 bssid 00:1d:a2:84:cd:31 50dB 54M ...
                nwid avctrl chan 11 bssid 00:1d:a2:84:cd:32 53dB 54M ...
        inet netmask 0xfffffff0 broadcast

RS-232 aka Serial Devices

Serial access is also built-in:

$ cu -s 19200 -l cuaU0

BREAK is ~. If you have USB-to-serial converter you can access it like so

$ dmesg
ugen1 at uhub6 port 3 configuration 1 &quot;Research In Motion RIM Composite Device&quot; rev 2.00/2.32 addr 8
uplcom0 at uhub3 port 1 &quot;Prolific Technology Inc. USB-Serial Controller D&quot; rev 1.10/4.00 addr 2
ucom0 at uplcom0

Print Configuration

12-point courier wastes a lot of paper if you need to print some text. Install a2ps from ports and use half as much.

$ a2ps -2 ap.conf -M A5 -o

Sample page with two columns

BSD Telnet Works

It may be a well-kept secret that the BSD telnet can do send one character at a time, which is sometimes required to simulate a serial link on some terminals need for password prompts, etc.

$ telnet 10001
Connected to
Escape character is '^]'.

telnet>; mode character

Better yet, add common connection parameters to .telnetrc # The Simplicity VM
  mode character
  # do-nothing to make the above line work:
  set crmod off

XTerm as an ANSI Terminal with VGA Fonts

$ cd /usr/X11R6/lib/X11/fonts/misc
$ doas ftp
$ doas ftp
$ doas ftp
$ doas mkfontdir

Thanks to Garry Dolley for posting these fonts and for showing how to do this on OS X as well.

xterm +sb -fn vga -bg darkblue -fg white

This is a view to the text console

HP iLO using VGA fonts

Custom Key-Mappings

Proprietary applications often expect goofy character combinations for normal use. The key translations in XTerm are very flexible because you can map a key pair to any string of characters. I used VIM to figure out key by moving the cursor to a character or code, like ^M and typing ga to show the hex code in the status line. This is part of my .Xdefaults

XTerm*VT100.translations: #override \n \
 ~Shift <Key>F1:        string(0x1) string(0x40) string(0xd) \n\
 ~Shift <Key>F2:        string(0x1) string(0x41) string(0xd) \n\
 ~Shift <Key>F3:        string(0x1) string(0x42) string(0xd) \n\
 ~Shift <Key>F4:        string(0x1) string(0x43) string(0xd) \n\
 ~Shift <Key>F5:        string(0x1) string(0x44) string(0xd) \n\
 ~Shift <Key>F6:        string(0x1) string(0x45) string(0xd) \n\
 ~Shift <Key>F7:        string(0x1) string(0x46) string(0xd) \n\
 ~Shift <Key>F8:        string(0x1) string(0x47) string(0xd) \n\
 ~Shift <Key>F9:        string(0x1) string(0x48) string(0xd) \n\
 ~Shift <Key>F10:       string(0x1) string(0x49) string(0xd) \n\

These keys enabled me to manage an old Tadiran voicemail via a network serial port:

DOS-based voicemail using VGA fonts

Last updated on December 06, 2021