BSD: Networking Included
These are some every-day techniques that I use to get stuff done.
BSD Kernels track Duplicate IPs
The BSD kernels keep track of MAC-IP resolutions, and will log any changes. It's a good habit to check this after plugging your own laptop into a network. More than once I have plugged my Thinkpad into a network and broken some service because their DHCP server gave me an address that was already used.
$ dmesg ... duplicate IP address 18.104.22.168 sent from ethernet address 00:13:72:a7:ff:14 duplicate IP address 22.214.171.124 sent from ethernet address 00:13:72:a7:ff:14 duplicate IP address 126.96.36.199 sent from ethernet address 00:13:72:a7:f9:04 duplicate IP address 188.8.131.52 sent from ethernet address 00:13:72:a7:f9:04
Run Daemons as Foreground Processes
Most BSD network daemon can be run in the foreground, which not only gives you the ability to easily test a service again, but you may notice oddities immediately. Below is an example of a site that was configured with two competing DHCP servers.
$ doas dhclient -d fxp0 DHCPREQUEST on fxp0 to 255.255.255.255 port 67 DHCPNAK from 184.108.40.206 DHCPDISCOVER on fxp0 to 255.255.255.255 port 67 interval 7 DHCPOFFER from 220.127.116.11 DHCPOFFER from 18.104.22.168 DHCPREQUEST on fxp0 to 255.255.255.255 port 67 DHCPACK from 22.214.171.124 bound to 126.96.36.199 -- renewal in 345600 seconds.
Resolve Common Ports
is a handy reference for common protocols.
$ grep 138 /etc/services netbios-dgm 138/tcp # NETBIOS Datagram Service netbios-dgm 138/udp
I also sometimes document an assignment by defining in
so that I know what port is used, especially on proprietary systems.
coral 11001/tcp # Coral PBX management with CUGW
Quickly Find Proxy-Arp
This is insane; sometimes home-office routers are installed that have proxy-ARP enabled by default!(Linksys VPN routers come to mind.) A quick look at the ARP table will show this.
$ arp -a ? (192.168.1.36) at 00:0c:6e:41:e1:56 on xl2 ? (192.168.1.43) at 00:0c:6e:41:e1:56 on xl2 ? (192.168.1.46) at 00:0c:6e:41:e1:56 on xl2 ? (192.168.1.49) at 00:0c:6e:41:e1:56 on xl2 ? (192.168.1.51) at 00:0c:6e:41:e1:56 on xl2 ? (192.168.1.56) at 00:0c:6e:41:e1:56 on xl2 ? (192.168.6.38) at 00:50:ba:58:9e:64 on xl1 ? (192.168.6.13) at 00:11:09:c5:cb:8b on xl1 ? (192.168.6.17) at 00:13:72:d3:da:94 on xl1 ? (192.168.6.18) at 00:0a:6b:00:a5:8b on xl1
Finding the Gateway
Most ARP requests will come from the gateway on a given subnet. The volume of requests make it easy to find the gateway.
$ doas tcpdump -n arp tcpdump: listening on rl0, link-type EN10MB 20:20:13.080158 arp who-has 192.168.168.199 tell 192.168.168.36 20:20:18.584708 arp who-has 192.168.168.191 tell 192.168.168.36 20:20:24.931355 arp who-has 188.8.131.52 tell 184.108.40.206 20:20:25.955077 arp who-has 192.168.168.199 tell 192.168.168.36 20:20:31.955179 arp who-has 192.168.168.199 tell 192.168.168.36
Log Traffic Between two Devices
If you can't get a hub in-between two points or a switch that support port
mirroring a second NIC in a laptop can be set up as a bridge between two points
so that full network trace can be captured. In my T30
is a built-in network card, and
is a Xircom combo in my PCCard slot.
ifconfig fxp0 up ifconfig dc0 up ifconfig bridge0 up brconfig bridge0 add fxp0 brconfig bridge0 add dc0
$ doas brconfig bridge0: flags=41<UP,RUNNING> priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp dc0 flags=3<LEARNING,DISCOVER> port 5 ifpriority 0 ifcost 0 fxp0 flags=3<LEARNING,DISCOVER> port 2 ifpriority 0 ifcost 0 Addresses (max cache: 100, timeout: 240):
Now I can log everything with
$ doas snort -l ./
$ doas tcpdump -w file -i ath0 tcpdump: listening on ath0, link-type EN10MB ^C 1557 packets received by filter 0 packets dropped by kernel $ doas tcpdump -r file icmp ...
With a capture on file comparisons are possible between different samples in time and maybe even match up a flow with a specific event that you learn of from others there.
Double-Check Subnet Masks
Even after setting up networks for a while it's not hard to make a mistake
in calculating subnets, so an IP calculator is a handy way to check yourself.
It can be installed from ports under
$ ipcalc 220.127.116.11/28 address : 18.104.22.168 netmask : 255.255.255.240 (0xfffffff0) network : 22.214.171.124 /28 broadcast : 126.96.36.199 host min : 188.8.131.52 host max : 184.108.40.206 hosts/net : 14
Check File Integrity
A router can corrupt a data stream. This is rare, but when transferring
files I've demonstrated that a Cisco 3640 can corrupt the payload of TCP
packets. Armed with
you may catch some tricky glitches in hardware or software.
$ md5 test.zip MD5 (test.zip) = 0f155c2bd57bbba564c899da50504ce5
$ ftp http://teisprint.net/test.zip Trying 220.127.116.11... Requesting http://teisprint.net/test.zip (via http://proxy.eradman.com:8123/) 100% |**************************************************| 3090 KB 00:20 Successfully retrieved file. $ md5 test.zip MD5 (test.zip) = 0f155c2bd57bbba564c899da50504ce5
Simply comparing file sizes is not a good method of testing the validity of a trasmission.
Finding routing loops is not an advanced topic and does not require a
specialized set of tools. Thanks to
you can check for this anywhere by watching the
values. Here we have a switching loop (duplicate packets) and a routing loop
(TTL moving to 0) on the same LAN.
$ doas tcpdump -i fxp0 port 445 14:02:25.944847 IP (tos 0x0, ttl 8, id 15937, offset 0, flags [DF], = proto: TCP (6), length: 79) 18.104.22.168.2688 > 22.214.171.124.microsoft-ds: P, = cksum 0xd6dd (correct), 0:39(39) ack 1 win 16529 14:02:25.944861 IP (tos 0x0, ttl 7, id 15937, offset 0, flags [DF], = proto: TCP (6), length: 79) 126.96.36.199.2688 > 188.8.131.52.microsoft-ds: P, = cksum 0xd6dd (correct), 0:39(39) ack 1 win 16529 14:02:25.944985 IP (tos 0x0, ttl 8, id 15937, offset 0, flags [DF], = proto: TCP (6), length: 79) 184.108.40.206.2688 > 220.127.116.11.microsoft-ds: P, = cksum 0xd6dd (correct), 0:39(39) ack 1 win 16529
Many times this can be caused by servers with IP forwarding enabled. Test a suspect by trying to route packets through the suspect.
$ doas route delete default $ doas route add default 18.104.22.168 $ ping eradman.com ...
TFTP is Standard
It's good to be in the habit of copying off configuration of rotuers and switches before you modify them, and so that you have a backup.
# /etc/inetd.conf tftp dgram udp wait root /usr/libexec/tftpd tftpd -s /tftpboot tftp dgram udp6 wait root /usr/libexec/tftpd tftpd -s /tftpboot
I link the TFTP folder
to my home directory. The important thing is that
inetdhave write permission to the file you want to copy to.
$ ls -l /tftpboot lrwxr-xr-x 1 root wheel 18 Dec 14 03:19 /tftpboot -> /home/eradman/tftp $ touch ~/tftp/PIX515-GATEWAY $ chmod 666 ~/tftp/PIX515-GATEWAY
Log Everything in tmux(1)
doesn't provide a built-in shortcut for logging the output of a session, but
it can be easily toggled by adding shortcuts to
bind-key H pipe-pane "exec cat >>$HOME/'#W-tmux.log'" \; display-message 'Started logging to $HOME/#W-tmux.log' bind-key h pipe-pane \; display-message 'Ended logging to $HOME/#W-tmux.log'
Domain Internet Groper
gives you need to know now
$ host eradman.com eradman.com has address 22.214.171.124 eradman.com has IPv6 address 2001:470:1f00:297:a00:20ff:fe9e:b3e1 eradman.com mail is handled by 10 us270-ob0.eradman.com.
provides a flexible interface for searching DNS
$ dig @126.96.36.199 nycbug.org ns +short auth20.ns.nyi.net. auth21.ns.nyi.net.
to look up reverse lookups.
Find Manufacturer of Device
$ arp -an | sed 's/:/-/g' ? (192.168.1.1) at 00-01-03-e9-c2-b2 on xl2 static $ grep -i 00-01-03 ~/documents/oui.txt 00-01-03 (hex) 3COM CORPORATION
does this automatically.
Searching for Wireless Networks
completely unifies configuration of various network cards, including wireless
adaptors. To scan the SSIDs visible to your laptop use the
$ doas ifconfig wpi0 scan wpi0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:1b:77:11:10:c5 priority: 4 groups: wlan egress media: IEEE802.11 autoselect (OFDM54 mode 11g) status: active ieee80211: nwid 0024A5B3D55F chan 1 bssid 00:24:a5:b3:d5:5f 63dB ... nwid 0x00 chan 11 bssid 00:1d:a2:84:cd:30 62dB 54M ... nwid guest chan 11 bssid 00:1d:a2:84:cd:31 50dB 54M ... nwid avctrl chan 11 bssid 00:1d:a2:84:cd:32 53dB 54M ... inet 188.8.131.52 netmask 0xfffffff0 broadcast 184.108.40.206
RS-232 aka Serial Devices
Serial access is also built-in:
$ cu -s 19200 -l cuaU0
If you have USB-to-serial converter you can access it like so
$ dmesg ... ugen1 at uhub6 port 3 configuration 1 "Research In Motion RIM Composite Device" rev 2.00/2.32 addr 8 uplcom0 at uhub3 port 1 "Prolific Technology Inc. USB-Serial Controller D" rev 1.10/4.00 addr 2 ucom0 at uplcom0
12-point courier wastes a lot of paper if you need to print some text. Install
from ports and use half as much.
$ a2ps -2 ap.conf -M A5 -o ap.conf.ps
BSD Telnet Works
It may be a well-kept secret that the BSD telnet can do send one character at a time, which is sometimes required to simulate a serial link on some terminals need for password prompts, etc.
$ telnet 220.127.116.11 10001 Trying 18.104.22.168... Connected to 22.214.171.124. Escape character is '^]'. ENTER PASSWORD ^] telnet>; mode character
Better yet, add common connection parameters to
192.168.168.2 # The Simplicity VM mode character # do-nothing to make the above line work: set crmod off
XTerm as an ANSI Terminal with VGA Fonts
$ cd /usr/X11R6/lib/X11/fonts/misc $ doas ftp http://scie.nti.st/dist/sabvga.pcf $ doas ftp http://scie.nti.st/dist/vga.pcf $ doas ftp http://scie.nti.st/dist/vga11x19.pcf $ doas mkfontdir
Thanks to Garry Dolley for posting these fonts and for showing how to do this on OS X as well.
xterm +sb -fn vga -bg darkblue -fg white
This is a view to the text console
Proprietary applications often expect goofy character combinations for
normal use. The key translations in XTerm are very flexible because you can map
a key pair to any string of characters. I used VIM to figure out key by moving
the cursor to a character or code, like
to show the hex code in the status line. This is part of my
XTerm*VT100.translations: #override \n \ ~Shift <Key>F1: string(0x1) string(0x40) string(0xd) \n\ ~Shift <Key>F2: string(0x1) string(0x41) string(0xd) \n\ ~Shift <Key>F3: string(0x1) string(0x42) string(0xd) \n\ ~Shift <Key>F4: string(0x1) string(0x43) string(0xd) \n\ ~Shift <Key>F5: string(0x1) string(0x44) string(0xd) \n\ ~Shift <Key>F6: string(0x1) string(0x45) string(0xd) \n\ ~Shift <Key>F7: string(0x1) string(0x46) string(0xd) \n\ ~Shift <Key>F8: string(0x1) string(0x47) string(0xd) \n\ ~Shift <Key>F9: string(0x1) string(0x48) string(0xd) \n\ ~Shift <Key>F10: string(0x1) string(0x49) string(0xd) \n\
These keys enabled me to manage an old Tadiran voicemail via a network serial port: