Updates from May, 2012 Toggle Comment Threads | Keyboard Shortcuts

  • elguber 23:13 on 2 May 2012 Permalink | Reply
    Tags: tcpdump   



    tcpdump [ -AdDefIKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ]
    [ -C file_size ] [ -G rotate_seconds ] [ -F file ]
    [ -i interface ] [ -m module ] [ -M secret ]
    [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
    [ -W filecount ]
    [ -E spi@ipaddr algo:secret,… ]
    [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
    [ expression ]

    Command Line Options
    -A Print frame payload in ASCII
    -c <count> Exit after capturing count packets
    -D List available interfaces
    -e Print link-level headers
    -F <file> Use file as the filter expression
    -G <n> Rotate the dump file every n seconds
    -i <iface> Specifies the capture interface
    -K Don’t verify TCP checksums
    -L List data link types for the interface
    -n Don’t convert addresses to names
    -p Don’t capture in promiscuous mode
    -q Quick output
    -r <file> Read packets from file
    -s <len> Capture up to len bytes per packet
    -S Print absolute TCP sequence numbers
    -t Don’t print timestamps
    -v[v[v]] Print more verbose output
    -w <file> Write captured packets to file
    -x Print frame payload in hex
    -X Print frame payload in hex and ASCII
    -y <type> Specify the data link type
    -Z <user> Drop privileges from root to user


    To print all packets arriving at or departing from sundown:

    tcpdump host sundown

    To print traffic between helios and either hot or ace:

    tcpdump host helios and \( hot or ace \)

    To print all IP packets between ace and any host except helios:

    tcpdump ip host ace and not helios

    To print all traffic between local hosts and hosts at Berkeley:

    tcpdump net ucb-ether

    To print all ftp traffic through internet gateway snup: (note that the expression is quoted to prevent the shell from (mis-)interpreting the parentheses):

    tcpdump 'gateway snup and (port ftp or ftp-data)'

    To print traffic neither sourced from nor destined for local hosts (if you gateway to one other net, this stuff should never make it onto your local net).

    tcpdump ip and not net localnet

    To print the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host.

    tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'

    To print all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets. (IPv6 is left as an exercise for the reader.)

    tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

    To print IP packets longer than 576 bytes sent through gateway snup:

    tcpdump 'gateway snup and ip[2:2] > 576'

    To print IP broadcast or multicast packets that were not sent via Ethernet broadcast or multicast:

    tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'

    To print all ICMP packets that are not echo requests/replies (i.e., not ping packets):

    tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
  • elguber 22:13 on 2 May 2012 Permalink | Reply
    Tags: ,   

    Bigpipe vs TMSH 

    Important things to remember when examining commands in tmsh:

    • show (usually) provides just the statistical information, with configuration parameters present to provide a level of disambiguation.
    • list provides configuration information, but just variations from the default. For example, “list /ltm nat” will only show the “originating-address” information
    • all-properties extends a “list” command to show every configuration option, not just the variations from default.


    bigpipe command tmsh Command Comment
    b arp show show /net arp all
    b arp all delete tmsh delete /net arp all
    b class DATA-GROUP mode read modify ltm data-group DATA-GROUP access-mode read-only
    b class show show running-config /ltm data-group
    b cluster show show /sys cluster all-properties
    b config load file.ucs load /sys ucs file.ucs
    b config save file.ucs save /sys ucs file.ucs
    b config sync run /cm config-sync from-group/to-group DEVICEGROUPNAME
    b conn show show /sys connection
    b conn show all show /sys connection all-properties Show all connection table properties
    b conn ss server node-ip:node-port delete delete /sys connection ss-server-addr node-ip ss-server-port node-port Delete connection table entries for node-ip node-port
    b daemon list list /sys daemon-ha all-properties
    b db < key name > < value > modify /sys db < key name > value < value > Modify database values
    b db Platform.PowerSupplyMonitor disable tmsh modify sys db platform.powersupplymonitor value disable Disables PSU alert if only one PSU in use on Dual PSU system
    b db show show running-config /sys db -hidden all-properties
    b export my.config.scf save /sys scf my.config.scf v10.x only
    b export my.config.scf save /sys config file my.config.scf tar-file my.config.tar v11.0+
    b failover standby run /sys failover standby v11+
    b fo show show /sys failover
    b fo standby run /util bigpipe fo standby v10+
    b ha table show /sys ha-status all-properties
    b hardware baud rate modify /sys console baud-rate v10: sol10621 | v11: sol13325
    b ha table show show /sys ha-status all-properties
    b httpd list list /sys httpd To list httpd configuration.
    b import my.config.scf load /sys scf my.config.scf v10.x only
    b import my.config.scf load /sys config file my.config.scf tar-file my.config.tar v11.0+
    b interface show -j show /net interface -hidden all-properties -hidden is not tab completable, but should be shown in the command output on iHealth.
    b load load sys config partitions all
    b merge load /sys config merge Added in v11. In v10 use bigpipe
    b merge /path/to/file.txt tmsh load /sys config file /path/to/file.txt merge Merge a file into the BIG-IP configuration. Added in v11. In v10, use bigpipe
    b mgmt show show running-config /sys management-ip
    b monitor show show running-config /ltm monitor (?)
    b nat show show /ltm nat all or list /ltm nat all-properties The two tmsh commands are required here since b nat show will list the unit preference and ARP status. Statistical information is shown via “show” while configuration information is shown via “list”.
    b node all monitor show list ltm node monitor
    b node show show /ltm node
    b ntp servers modify sys ntp servers add { }
    b packet filter all show show /net packet-fliter
    b partition list auth partition no “show” command yet, list will only show written partitions
    b persist tmsh show ltm persistence persist-records
    b platform show /sys hardware
    b pool list list /ltm pool
    b pool show show /ltm pool members
    b profile access all stats
    b profile auth all show all show /ltm auth profile all The tmsh auth command does not display associated OCSP information shown by bigpipe.
    b profile http ramcache show show /ltm profile http
    b profile http stats show /ltm profile http
    b profile ssl stats show /ltm profile ssl
    b profile persist profile_name list all tmsh list ltm persistence profile_name all-properties
    b profile tcp show show /ltm profile tcp
    b profile tcp stats show /ltm profile tcp
    b profile udp show show /ltm profile udp
    b profile udp stats show /ltm profile udp
    b profile xml show show /ltm profile xml
    b reset load / sys default-config v10.x
    b reset load / sys config default v11.x
    b route show show /net route all
    b rule < rule > show all show /ltm rule < rule >
    b rule show show /ltm rule all
    b rule stats reset reset-stats /ltm rule < rule >
    b save save sys config partitions all
    b self show show running-config /net self
    b snat show /ltm snat
    b snatpool show show /ltm snatpool
    b software show sys software
    b software desired install sys software image NAME volume HDX.Y reboot
    b software desired install sys software image NAME create-volume volume HDX.Y v11.0+ : Creates volume and installs software. (Cannot create empty volumes in v11)
    b software desired install sys software hotfix NAME volume HDX.Y Installs desired Hotfix to the specified Volume.
    b stp show show running-config /net stp all-properties
    b syslog list all list sys syslog all-properties
    b syslog remote server none modify sys syslog remote-servers none
    b syslog remote server test-srv host modify sys syslog remote-servers add {test-srv{host}} You can append “remote-port 517” for example to the end of the command to specify the port
    b syslog remote server test-srv local ip modify sys syslog remote-servers modify {test-srv{local-ip}} The self ip must be non-floating
    b system hostname modify sys global-settings hostname NEWHOST.EXAMPLE.COM
    b trunk show -j show /net trunk -hidden all
    b trunk all lacp show show /net trunk detail
    b unit show
    b verify load load sys config verify
    b version show /sys version Takes grep (but not “head” as in “b version |head”) – for example, grep on build: tmsh show sys version |grep -i build
    b virtual address show show /ltm virtual-address all-properties “show” does not show the objects used by the virtual, and list does not show statistics.
    b virtual all show all show /ltm virtual all-properties or list /ltm virtual all-properties “show” does not show the objects used by the virtual, and list does not show statistics.
    b vlan all show all -j show /net vlan -hidden
    b vlangroup all show all show /net vlan-group all
    bigstart status|start|stop|restart SERVICE_NAME show|start|stop|restart sys service SERVICE_NAME
    bpsh (?) load sys config from-terminal merge Merge config from interactive shell. Paste/type the config objects you want to add. Then type Ctrl+d to complete the submission or Ctrl+c to cancel the input. Added in v11.0.

    Linux Commands (Commands only accessible from the CLI)

    Linux Command tmsh Comment
    arp -an run /util bash -c “arp -an”
    crontab -l run /util bash -c “crontab -l”
    date run /util bash -c “date”
    df -h run /util bash -c “df -h”
    df -i run /util bash -c “df -i”
    df -ik run /util bash -c “df -ik”
    eud_info (version) run /util bash -c “eud_info (version)”
    free run /util bash -c “free”
    grub default -d run /util bash -c “grub default -d”
    grub default -l run /util bash -c “grub default -l”
    halid run /util bash -c “halid”
    hsb snapshot (version) run /util bash -c “hsb snapshot (version)”
    ifconfig -a run /util bash -c “ifconfig -a”
    interrupts run /util bash -c “interrupts”
    ip -f dnet addr show run /util bash -c “ip -f dnet addr show”
    ip -f inet addr show run /util bash -c “ip -f inet addr show”
    ip -f inet link show run /util bash -c “ip -f inet link show”
    ip -f inet neigh show run /util bash -c “ip -f inet neigh show”
    ip -f inet route show run /util bash -c “ip -f inet route show”
    ip -f inet rule show run /util bash -c “ip -f inet rule show”
    ip -f inet tunnel show run /util bash -c “ip -f inet tunnel show”
    ip -f inet6 addr show run /util bash -c “ip -f inet6 addr show”
    ip -f inet6 link show run /util bash -c “ip -f inet6 link show”
    ip -f inet6 neigh show run /util bash -c “ip -f inet6 neigh show”
    ip -f inet6 route show run /util bash -c “ip -f inet6 route show”
    ip -f inet6 tunnel show run /util bash -c “ip -f inet6 tunnel show”
    ip -f ipx addr show run /util bash -c “ip -f ipx addr show”
    ip -f link addr show run /util bash -c “ip -f link addr show”
    ip -f link link show run /util bash -c “ip -f link link show”
    ip -f link neigh show run /util bash -c “ip -f link neigh show”
    ip -f link route show run /util bash -c “ip -f link route show”
    ls -las /var/local/ucs run /util bash -c “ls -las /var/local/ucs”
    ls -lasLR /dev/mprov/ run /util bash -c “ls -lasLR /dev/mprov/”
    ls -lasLR /var/core run /util bash -c “ls -lasLR /var/core”
    ls -lasR /boot run /util bash -c “ls -lasR /boot”
    ls -lasR /hotfix run /util bash -c “ls -lasR /hotfix”
    lsof -n run /util bash -c “lsof -n”
    meminfo run /util bash -c “meminfo”
    mount run /util bash -c “mount”
    netstat -nge run /util bash -c “netstat -nge”
    netstat -ni run /util bash -c “netstat -ni”
    netstat -pan run /util bash -c “netstat -pan”
    netstat -sa run /util bash -c “netstat -sa”
    ntpdc -n -c peer run /util bash -c “ntpdc -n -c peer”
    ntpq -pn run /util bash -c “ntpq -pn”
    pci run /util bash -c “pci”
    pstree run /util bash -c “pstree”
    qkview run /util qkview
    rpm -qa run /util bash -c “rpm -qa”
    switchboot -l run /util bash -c “switchboot -l” Or use: /sys reboot volume < volume >
    sysctl run /util bash -c “sysctl”
    top run /util bash -c “top”
    vmstat run /util bash -c “vmstat”
    who -aH run /util bash -c “who -aH”


  • elguber 12:12 on 29 May 2010 Permalink | Reply
    Tags: cisco,   

    Connect to CISCO router under Fedora 

    Today I will explain how to connect to a Cisco router with USB to DB9 converter in Fedora. You can use this to connect to a switch, firewall or another kind of device in which you use this cable an a terminal connection.


    Machine: Dell Laptop without serial port OS: Fedora 12

    Router: Cisco 2524 IOS: 11.1

    Cable: RJ-45 to DB-9 female (management cable)

    Converter: USB to DB9

    Fist, you need a terminal software. Most common is minicom but you can use Putty. Minicom is not so friendly as Putty. I can explain both and then, you can choose 😉

    Using minicom

    Install as root

    [user@localhost ~]$ su
    [root@localhost user]# yum install minicom

    Once you have minicom installed, is time to configure the device. Before start minicom you should know in which port is installed. To get that information type:

    [root@localhost user]# dmesg | grep tty

    You will get something like:

    usb 2-2.1: FTDI USB Serial Device converter now attached to ttyUSB0

    We know that converter device is in /dev/ttyUSB0. Let’s start minicom with -s option (set-up mode). You only can start with this option as root.

    [root@localhost user]# minicom -s


    Surfing throught the menu with the up and down keys, enter in “Serial Port setup” option.


    Typing letters in left side you’ll enter in each option.

    Option “E” output:

    Once you have configured everything you should save with “Save setup as…” option and put a name. For example: cisco

    If you choose Exit you will be directly connected to the router, if not, choose “Exit from minicom” to close down the application.

    To start minicom with the configuration previously saved as cisco type as root:

    [root@localhost user]# minicom cisco

    That’s it!

    Using Putty

    Too simple.Install putty as root typing:

    [user@localhost ~]$ su
    [root@localhost user]# yum install putty

    Then, start putty with

    [eduardo@localhost ~]$ putty


    Configure serial port as before with:

    [root@localhost user]# dmesg | grep tty

    You will get something like:

    usb 2-2.1: FTDI USB Serial Device converter now attached to ttyUSB0

    In serial box type:


    In speed box type:



  • elguber 22:31 on 27 May 2010 Permalink | Reply

    Linux Commands II 

    If you want a good manual with unix commands, you have two options:

    1st – A small and quick manual within no more than 5 pages

    2nd- A list of all kind of linux commands in a book or pdf with 300 pages or more.

    If you choose first option and you use all commands in the list, you will get know in a week because of use.

    My point of view is: I like a book with thousands of commands with each explanation to review. I will never know all commands. It is stupid to know all ones when you have a good help and the most known search engine website 😉 Anyway, if you want to be a good administrator, you should know a long list. Each command have a list of options that you can check with:

    [user@localhost ~]$ help {command}


    [user@localhost ~]$ man {command}

    That is the reason because  is not mandatory to know all commands within options.

    In this post, I will  put some interesting commands.

    TOP – Command to know the CPU usage. It displays a listing of the most CPU intensive tasks on the system.

    Tasks: 193 total,   1 running, 192 sleeping,   0 stopped,   0 zombie

    Cpu(s):  1.8%us,  1.5%sy,  0.0%ni, 96.6%id,  0.0%wa,  0.2%hi,  0.0%si,  0.0%st

    Mem:   2060700k total,  1849668k used,   211032k free,    58676k buffers

    Swap:  4194292k total,       20k used,  4194272k free,  1187076k cached


    2658 eduardo   20   0  129m  24m  16m S  2.3  1.2   2:42.51 chrome

    3321 eduardo   20   0  354m 112m  24m S  1.7  5.6   2:10.95 firefox

    1625 root      20   0 98412  62m  17m S  1.0  3.1  63:29.99 Xorg

    4421 root      20   0  2556 1104  824 R  0.7  0.1   0:00.30 top

    3658 eduardo   20   0  115m  25m  13m S  0.3  1.3   0:09.74 chrome

    3723 eduardo   20   0 48832  12m 9212 S  0.3  0.6   0:06.31 gnome-terminal

    1 root      20   0  2024  780  580 S  0.0  0.0   0:01.14 init

    2 root      20   0     0    0    0 S  0.0  0.0   0:00.00 kthreadd

    3 root      RT   0     0    0    0 S  0.0  0.0   0:00.00 migration/0

    4 root      20   0     0    0    0 S  0.0  0.0   0:00.16 ksoftirqd/0

    5 root      RT   0     0    0    0 S  0.0  0.0   0:00.00 watchdog/0

    6 root      RT   0     0    0    0 S  0.0  0.0   0:00.00 migration/1

    7 root      20   0     0    0    0 S  0.0  0.0   0:00.66 ksoftirqd/1

    8 root      RT   0     0    0    0 S  0.0  0.0   0:00.00 watchdog/1

    9 root      20   0     0    0    0 S  0.0  0.0   0:00.11 events/0

    10 root      20   0     0    0    0 S  0.0  0.0   0:01.25 events/1

    11 root      20   0     0    0    0 S  0.0  0.0   0:00.00 cpuset

    12 root      20   0     0    0    0 S  0.0  0.0   0:00.00 khelper

    13 root      20   0     0    0    0 S  0.0  0.0   0:00.00 netns

    14 root      20   0     0    0    0 S  0.0  0.0   0:00.00 async/mgr

    15 root      20   0     0    0    0 S  0.0  0.0   0:00.00 pm

    PS – Reports the process status. This command typed alone show you the current running processes.

    [user@localhost ~]$ ps
    PID TTY          TIME CMD
    3725 pts/0    00:00:00 bash
    3743 pts/0    00:00:00 ps

    Adding the following options, you can get the top 5 CPU users

    [user@localhost ~]$ ps -eo pcpu,pid,user,args | sort -k 1 -r | head -5


    62.4  2538 user  vinagre

    4.8  2997 user  rhythmbox

    31.6  1625 root     /usr/bin/Xorg :0 -nr -verbose -auth /var/run/gdm/auth-for-gdm-LC90Bs/database -nolisten tcp vt1

    2.8  3321 user  /usr/lib/firefox-3.5/firefox http://www.google.com

    MPSTAT – Display the unilization of each CPU individually.

    [root@localhost user]# mpstat

    Linux (localhost.localdomain) 05/27/2010 _i686_ (2 CPU)

    11:21:15 PM  CPU    %usr   %nice    %sys %iowait    %irq   %soft  %steal  %guest   %idle

    11:21:15 PM  all   32.00    0.34   16.37    0.66    0.07    2.06    0.00    0.00   48.51

    This command display activities for each available processor and can be used on SMP(Multiple CPU) and UP machines, but in the latter, only global average activities will be printed:
    [root@localhost user]# mpstat -P ALL
    Linux (localhost.localdomain) 05/27/2010 _i686_ (2 CPU)

    11:23:43 PM  CPU    %usr   %nice    %sys %iowait    %irq   %soft  %steal  %guest   %idle
    11:23:43 PM  all   32.06    0.33   16.44    0.65    0.07    2.08    0.00    0.00   48.37
    11:23:43 PM    0   48.16    0.37   14.58    0.82    0.05    1.24    0.00    0.00   34.77
    11:23:43 PM    1   17.44    0.30   18.13    0.49    0.08    2.83    0.00    0.00   60.73
    IOSTAT – Display CPU statistics and in/out statistics for devices and partitions. Useful to know your CPU utilization since the last reboot.
    [root@localhost user]# iostat
    Linux (localhost.localdomain) 05/27/2010 _i686_ (2 CPU)
    avg-cpu:  %user   %nice %system %iowait  %steal   %idle
    32.17    0.32   18.63    0.64    0.00   48.24
    Device:            tps   Blk_read/s   Blk_wrtn/s   Blk_read   Blk_wrtn
    sda               4.77       149.94       347.32    1680964    3893686
    sdb               0.03         0.87         0.00       9782          1
    VMSTAT – Reports information about processes, memory, paging, block IO, traps, and cpu activity.

    [root@localhost user]# vmstat 3
    procs ———–memory———- —swap– —–io—- –system– —–cpu—–
    r  b   swpd   free   buff  cache   si   so    bi    bo   in   cs us sy id wa st
    2  0    548  52268  55060 1212524    0    0    37    81  955 1157 32 18 48  1  0
    2  0    548  54620  55464 1209524    0    0   252  4275 1769 1565 24  4 52 20  0
    1  0    548  54224  55548 1204264    0    0    37  3940 1624 1536 20  4 60 15  0
    1  0     20  52704  55600 1201252   45    0   145  3536 1258 1306  7  5 60 28  0
    TCPDUMP – Dump traffic no a network
    [root@localhost user]# tcpdump ‘tcp port pop3’ tcpdump: verbose output suppressed, use -v or -vv for
    full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

    NETSTAT – Ddisplays network connections, routing tables, interface statistics, masquerade

    connections, and multicast memberships. Output of this command can be too long, but you can
    put some options to get a short result like:
    [root@localhost user]# netstat -nat | awk ‘{print $6}’ | sort | uniq -c | sort -n
    1 established)
    1 Foreign
    10 LISTEN

  • elguber 14:56 on 31 December 2009 Permalink | Reply

    Linux commands “a” 

    These are the most common bash commands in linux. Some of them, depending of the distribution can´t be available or have been replaced for another ones.
    adduser Add a user to the system

    • Command is Centos: # useradd <username>

    This command create a user locked. To unlock the user add passwd <password>

    • Command in Debian: # adduser <username>

    addgroup Add a group to the system
    alias    Create an alias. It´s useful when you use commands with options

    • Example: # alias ls=’ls -l’ From now, when you type ‘ls’  is like ‘ls -l’

    apropos Search Help manual pages. Same as # man -k
    apt-get Search for and install software packages (Debian)
    Interesting command. This command allow you
    update – Download new list of apps
    upgrade – Upgrade the app
    install – Install new packages
    remove – Remove packages
    purge  – Delete and purge packages
    source – Download font sources
    build-dep – Configure build dependencies of font packages
    dist-upgrade – Upgrade the distribution
    clean – Delete downloaded files
    autoclean – Delete old downloaded files
    check – Check in fulfill dependencies
    awk Find and Replace text, database sort/validate/index

Compose new post
Next post/Next comment
Previous post/Previous comment
Show/Hide comments
Go to top
Go to login
Show/Hide help
shift + esc