Tuesday, 17 December 2013

Packet capture with tcpdump

Solaris had snoop, Linux has tcpdump. Here's a couple of handy examples:

Interactive capture of traffic on interface eth0:

  • tcpdump -i eth0


Capture traffic to a file, output can be read in Wireshark:

  • tcpdump -w output.pcap -i eth0


Filter to a specific source or destination or both:

  • tcpdump -i eth0 src 192.168.100.1
  • tcpdump -i eth0 dst 192.168.100.1
  • tcpdump -i eth0 src 192.168.100.1 or dst 192.168.100.1


Further filter by port:

  • tcpdump -i eth0 src 192.168.100.1 or dst 192.168.100.1 and port 22






Posted by at No comments:
Labels: ,

Thursday, 5 December 2013

Enabling ping replies through Windows 7 firewall

By default the Windows 7 firewall blocks ping. Here's how to enable a PC to respond to ping requests:


  • Open Windows firewall
  • Select Advanced settings, Inbound Rules
  • Create New Rule - 
    • Type custom
    • Apply to all programs
    • Protocol ICMPv4
    • ICMP settings, allow Echo Request only
    • Apply to any source & destination IP
    • Action, Allow the connection
    • Rule applies to all locations
    • Name it Ping
  • Refresh Inbound Rule list and it should appear, make sure it is enabled
Windows 7 will now respond to ping requests.
Posted by at No comments:
Labels: ,

Tuesday, 20 August 2013

Solaris: Which NIC is which MAC address?

So, you've got a server with several NICs in it and some are plumbed and some are not. How do you tell the mac address of each interface so you can marry it up to the output from ifconfig.

prtdiag & prtpicl are your friends

Here's an example

Well here's what's plumb'ed
# ifconfig -a
ipge2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        inet 10.185.32.152 netmask ffffffc0 broadcast 10.185.32.191
        ether 0:14:4f:48:5a:a0
ipge3: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
        inet 192.168.0.1 netmask ffffff00 broadcast 192.168.0.255
        ether 0:14:4f:48:5a:a1
ipge4: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4
        inet 10.185.32.56 netmask fffffff0 broadcast 10.185.32.63
        ether 0:15:17:e:a9:56

But here's what's plugged in
# dladm show-dev
ipge0           link: unknown   speed: 0     Mbps       duplex: unknown
ipge1           link: unknown   speed: 0     Mbps       duplex: unknown
ipge2           link: unknown   speed: 1000  Mbps       duplex: full
ipge3           link: unknown   speed: 1000  Mbps       duplex: full
ipge4           link: unknown   speed: 1000  Mbps       duplex: full
ipge5           link: unknown   speed: 0     Mbps       duplex: unknown
ipge6           link: unknown   speed: 1000  Mbps       duplex: full
ipge7           link: unknown   speed: 0     Mbps       duplex: unknown

So let's probe the server and see what NICs we have
# prtdiag|grep network
IOBD/NET0    PCIE IOBD                /pci@780/pci@0/pci@1/network@0    network-pciex8086,105e     
IOBD/NET1    PCIE IOBD              /pci@780/pci@0/pci@1/network@0,1    network-pciex8086,105e     
IOBD/NET2    PCIE IOBD                /pci@7c0/pci@0/pci@2/network@0    network-pciex8086,105e     
IOBD/NET3    PCIE IOBD              /pci@7c0/pci@0/pci@2/network@0,1    network-pciex8086,105e     
IOBD/PCIE1   PCIE    1                /pci@7c0/pci@0/pci@8/network@0    network-pciex8086,105e SUNW,pcie+
IOBD/PCIE1   PCIE    1              /pci@7c0/pci@0/pci@8/network@0,1    network-pciex8086,105e SUNW,pcie+
IOBD/PCIE2   PCIE    2                /pci@7c0/pci@0/pci@9/network@0    network-pciex8086,105e SUNW,pcie+
IOBD/PCIE2   PCIE    2              /pci@7c0/pci@0/pci@9/network@0,1    network-pciex8086,105e SUNW,pcie+

This is a T2000 so we've got 4 onboards, net0/net1/net2/net3
But we've also got 2 dual nic PCI-e cards by the look of it, PCIE1/2

So which ipge interfaces are bound to which NIC?

# prtpicl -v | egrep 'local-mac|devfs-path'
<snip>
 :devfs-path    /pci@7c0/pci@0/pci@2
                      :local-mac-address         00  14  4f  48  5a  a0
                      :devfs-path        /pci@7c0/pci@0/pci@2/network@0
                      :local-mac-address         00  14  4f  48  5a  a1
                      :devfs-path        /pci@7c0/pci@0/pci@2/network@0,1
                  :devfs-path    /pci@7c0/pci@0/pci@8
                      :local-mac-address         00  15  17  0e  a9  56
                      :devfs-path        /pci@7c0/pci@0/pci@8/network@0
                      :local-mac-address         00  15  17  0e  a9  57
                      :devfs-path        /pci@7c0/pci@0/pci@8/network@0,1
<snip>

Search the output looking for mac-address lines followed by a devfs-path line and marry that up with the prtdiag. So looking at my red highlighted example here we see.....
  • mac ending 5a:a0 is connected to onboard net2 and assigned ipge2
  • mac ending a9:57 is connected to PCI-e slot 1 (2nd interface to be precise) and assigned to ipge4

Simple when you know how.

Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)