Category Archives: linux

tcpdump

tcpdump

tcpdump [ -AdDefIKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -m module ] [ -M secret ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,… ]
[ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
[ expression ]

Command Line Options
-A Print frame payload in ASCII
-c <count> Exit after capturing count packets
-D List available interfaces
-e Print link-level headers
-F <file> Use file as the filter expression
-G <n> Rotate the dump file every n seconds
-i <iface> Specifies the capture interface
-K Don’t verify TCP checksums
-L List data link types for the interface
-n Don’t convert addresses to names
-p Don’t capture in promiscuous mode
-q Quick output
-r <file> Read packets from file
-s <len> Capture up to len bytes per packet
-S Print absolute TCP sequence numbers
-t Don’t print timestamps
-v[v[v]] Print more verbose output
-w <file> Write captured packets to file
-x Print frame payload in hex
-X Print frame payload in hex and ASCII
-y <type> Specify the data link type
-Z <user> Drop privileges from root to user

EXAMPLES

To print all packets arriving at or departing from sundown:

tcpdump host sundown

To print traffic between helios and either hot or ace:

tcpdump host helios and \( hot or ace \)

To print all IP packets between ace and any host except helios:

tcpdump ip host ace and not helios

To print all traffic between local hosts and hosts at Berkeley:

tcpdump net ucb-ether

To print all ftp traffic through internet gateway snup: (note that the expression is quoted to prevent the shell from (mis-)interpreting the parentheses):

tcpdump 'gateway snup and (port ftp or ftp-data)'

To print traffic neither sourced from nor destined for local hosts (if you gateway to one other net, this stuff should never make it onto your local net).

tcpdump ip and not net localnet

To print the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host.

tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'

To print all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets. (IPv6 is left as an exercise for the reader.)

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

To print IP packets longer than 576 bytes sent through gateway snup:

tcpdump 'gateway snup and ip[2:2] > 576'

To print IP broadcast or multicast packets that were not sent via Ethernet broadcast or multicast:

tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'

To print all ICMP packets that are not echo requests/replies (i.e., not ping packets):

tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

Fedora 14

“Fedora 14 (Laughlin)” is already running in my laptop. I have upgraded from v12 to v14.
The only issue was with the /boot disk space. In versions 13 and 14 the recomended /boot size is 500 Mb and in previous versions were 200 MB. If you want to upgrade your system and have the same problem within the /boot partition, follow the instructions:

# Create a file that takes up enough space that there is insufficient remaining disk space for preupgrade to download kernel and initrd.img. That means we need to fill up /boot. Here’s how to do that as root:

# dd if=/dev/zero of=/boot/preupgrade_filler bs=1M count=170

# Install the newest available version of image:Package-x-generic-16.pngpreupgrade.
# Run preupgrade from a command prompt or the Run Application dialog. Provide the requested password for root authorization.
# On the Choose desired release screen, enable unstable test releases.
# Choose Rawhide from the list of available upgrade targets, then click Apply.
# While downloading, preupgrade should warn that it failed to download installer data. Click quit for that.
# Next, change the amount of available disk space on the /boot partition by reducing the size of the /boot/preupgrade_filler file to 100MB. This should leave sufficient room for preupgrade to download the kernel and initrd.img but not enough room to download install.img. Once again, use the dd command:

# dd if=/dev/zero of=/boot/preupgrade_filler bs=1M count=100

# Re-run preupgrade. When prompted, click Yes to resume your upgrade.
# While downloading, preupgrade should warn that there wasn’t enough space to download install.img but it can be downloaded after reboot if you have a wired network connection. Click continue for that.
# When preupgrade is done don’t reboot immediately. Instead, remove the /boot/preupgrade_filler file and make sure your computer is connected to the network via an ethernet cable.

# rm /boot/preupgrade_filler

# Click reboot.

Laptop: DELL XPS M1330
Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00 Ghz
2GB shared3 Dual Channel 667MHz DDR2 SDRAM
160GB configured with 7200 RPM SATA hard drive
128MB NVIDIA® GeForce® 8400M GS

Source: http://fedoraproject.org

Connect to CISCO router under Fedora

Today I will explain how to connect to a Cisco router with USB to DB9 converter in Fedora. You can use this to connect to a switch, firewall or another kind of device in which you use this cable an a terminal connection.

Scenario:

Machine: Dell Laptop without serial port OS: Fedora 12

Router: Cisco 2524 IOS: 11.1

Cable: RJ-45 to DB-9 female (management cable)

Converter: USB to DB9

Fist, you need a terminal software. Most common is minicom but you can use Putty. Minicom is not so friendly as Putty. I can explain both and then, you can choose 😉

Using minicom

Install as root

[user@localhost ~]$ su
Password:
[root@localhost user]# yum install minicom

Once you have minicom installed, is time to configure the device. Before start minicom you should know in which port is installed. To get that information type:

[root@localhost user]# dmesg | grep tty

You will get something like:

usb 2-2.1: FTDI USB Serial Device converter now attached to ttyUSB0

We know that converter device is in /dev/ttyUSB0. Let’s start minicom with -s option (set-up mode). You only can start with this option as root.

[root@localhost user]# minicom -s

Output:

Surfing throught the menu with the up and down keys, enter in “Serial Port setup” option.

Output:

Typing letters in left side you’ll enter in each option.

Option “E” output:

Once you have configured everything you should save with “Save setup as…” option and put a name. For example: cisco

If you choose Exit you will be directly connected to the router, if not, choose “Exit from minicom” to close down the application.

To start minicom with the configuration previously saved as cisco type as root:

[root@localhost user]# minicom cisco

That’s it!

Using Putty

Too simple.Install putty as root typing:

[user@localhost ~]$ su
Password:
[root@localhost user]# yum install putty

Then, start putty with

[eduardo@localhost ~]$ putty

Output:

Configure serial port as before with:

[root@localhost user]# dmesg | grep tty

You will get something like:

usb 2-2.1: FTDI USB Serial Device converter now attached to ttyUSB0

In serial box type:

/dev/ttyUSB0

In speed box type:

9600

done!

Linux Commands II

If you want a good manual with unix commands, you have two options:

1st – A small and quick manual within no more than 5 pages

2nd- A list of all kind of linux commands in a book or pdf with 300 pages or more.

If you choose first option and you use all commands in the list, you will get know in a week because of use.

My point of view is: I like a book with thousands of commands with each explanation to review. I will never know all commands. It is stupid to know all ones when you have a good help and the most known search engine website 😉 Anyway, if you want to be a good administrator, you should know a long list. Each command have a list of options that you can check with:

[user@localhost ~]$ help {command}

or

[user@localhost ~]$ man {command}

That is the reason because  is not mandatory to know all commands within options.

In this post, I will  put some interesting commands.

TOP – Command to know the CPU usage. It displays a listing of the most CPU intensive tasks on the system.

Tasks: 193 total,   1 running, 192 sleeping,   0 stopped,   0 zombie

Cpu(s):  1.8%us,  1.5%sy,  0.0%ni, 96.6%id,  0.0%wa,  0.2%hi,  0.0%si,  0.0%st

Mem:   2060700k total,  1849668k used,   211032k free,    58676k buffers

Swap:  4194292k total,       20k used,  4194272k free,  1187076k cached


PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND

2658 eduardo   20   0  129m  24m  16m S  2.3  1.2   2:42.51 chrome

3321 eduardo   20   0  354m 112m  24m S  1.7  5.6   2:10.95 firefox

1625 root      20   0 98412  62m  17m S  1.0  3.1  63:29.99 Xorg

4421 root      20   0  2556 1104  824 R  0.7  0.1   0:00.30 top

3658 eduardo   20   0  115m  25m  13m S  0.3  1.3   0:09.74 chrome

3723 eduardo   20   0 48832  12m 9212 S  0.3  0.6   0:06.31 gnome-terminal

1 root      20   0  2024  780  580 S  0.0  0.0   0:01.14 init

2 root      20   0     0    0    0 S  0.0  0.0   0:00.00 kthreadd

3 root      RT   0     0    0    0 S  0.0  0.0   0:00.00 migration/0

4 root      20   0     0    0    0 S  0.0  0.0   0:00.16 ksoftirqd/0

5 root      RT   0     0    0    0 S  0.0  0.0   0:00.00 watchdog/0

6 root      RT   0     0    0    0 S  0.0  0.0   0:00.00 migration/1

7 root      20   0     0    0    0 S  0.0  0.0   0:00.66 ksoftirqd/1

8 root      RT   0     0    0    0 S  0.0  0.0   0:00.00 watchdog/1

9 root      20   0     0    0    0 S  0.0  0.0   0:00.11 events/0

10 root      20   0     0    0    0 S  0.0  0.0   0:01.25 events/1

11 root      20   0     0    0    0 S  0.0  0.0   0:00.00 cpuset

12 root      20   0     0    0    0 S  0.0  0.0   0:00.00 khelper

13 root      20   0     0    0    0 S  0.0  0.0   0:00.00 netns

14 root      20   0     0    0    0 S  0.0  0.0   0:00.00 async/mgr

15 root      20   0     0    0    0 S  0.0  0.0   0:00.00 pm

PS – Reports the process status. This command typed alone show you the current running processes.

[user@localhost ~]$ ps
PID TTY          TIME CMD
3725 pts/0    00:00:00 bash
3743 pts/0    00:00:00 ps

Adding the following options, you can get the top 5 CPU users

[user@localhost ~]$ ps -eo pcpu,pid,user,args | sort -k 1 -r | head -5

%CPU   PID USER     COMMAND

62.4  2538 user  vinagre

4.8  2997 user  rhythmbox

31.6  1625 root     /usr/bin/Xorg :0 -nr -verbose -auth /var/run/gdm/auth-for-gdm-LC90Bs/database -nolisten tcp vt1

2.8  3321 user  /usr/lib/firefox-3.5/firefox http://www.google.com

MPSTAT – Display the unilization of each CPU individually.

[root@localhost user]# mpstat

Linux 2.6.32.12-115.fc12.i686 (localhost.localdomain) 05/27/2010 _i686_ (2 CPU)


11:21:15 PM  CPU    %usr   %nice    %sys %iowait    %irq   %soft  %steal  %guest   %idle

11:21:15 PM  all   32.00    0.34   16.37    0.66    0.07    2.06    0.00    0.00   48.51

This command display activities for each available processor and can be used on SMP(Multiple CPU) and UP machines, but in the latter, only global average activities will be printed:
[root@localhost user]# mpstat -P ALL
Linux 2.6.32.12-115.fc12.i686 (localhost.localdomain) 05/27/2010 _i686_ (2 CPU)

11:23:43 PM  CPU    %usr   %nice    %sys %iowait    %irq   %soft  %steal  %guest   %idle
11:23:43 PM  all   32.06    0.33   16.44    0.65    0.07    2.08    0.00    0.00   48.37
11:23:43 PM    0   48.16    0.37   14.58    0.82    0.05    1.24    0.00    0.00   34.77
11:23:43 PM    1   17.44    0.30   18.13    0.49    0.08    2.83    0.00    0.00   60.73
IOSTAT – Display CPU statistics and in/out statistics for devices and partitions. Useful to know your CPU utilization since the last reboot.
[root@localhost user]# iostat
Linux 2.6.32.12-115.fc12.i686 (localhost.localdomain) 05/27/2010 _i686_ (2 CPU)
avg-cpu:  %user   %nice %system %iowait  %steal   %idle
32.17    0.32   18.63    0.64    0.00   48.24
Device:            tps   Blk_read/s   Blk_wrtn/s   Blk_read   Blk_wrtn
sda               4.77       149.94       347.32    1680964    3893686
sdb               0.03         0.87         0.00       9782          1
VMSTAT – Reports information about processes, memory, paging, block IO, traps, and cpu activity.

[root@localhost user]# vmstat 3
procs ———–memory———- —swap– —–io—- –system– —–cpu—–
r  b   swpd   free   buff  cache   si   so    bi    bo   in   cs us sy id wa st
2  0    548  52268  55060 1212524    0    0    37    81  955 1157 32 18 48  1  0
2  0    548  54620  55464 1209524    0    0   252  4275 1769 1565 24  4 52 20  0
1  0    548  54224  55548 1204264    0    0    37  3940 1624 1536 20  4 60 15  0
1  0     20  52704  55600 1201252   45    0   145  3536 1258 1306  7  5 60 28  0
TCPDUMP – Dump traffic no a network
[root@localhost user]# tcpdump ‘tcp port pop3’ tcpdump: verbose output suppressed, use -v or -vv for
full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

NETSTAT – Ddisplays network connections, routing tables, interface statistics, masquerade

connections, and multicast memberships. Output of this command can be too long, but you can
put some options to get a short result like:
[root@localhost user]# netstat -nat | awk ‘{print $6}’ | sort | uniq -c | sort -n
1 established)
1 ESTABLISHED
1 Foreign
1 TIME_WAIT
10 LISTEN
51 CLOSE_WAIT
Sources: