Archive for the ‘Work’ Category

Monitor a specific packet type with tcpdump

Thursday, April 2nd, 2009

tcpdump is a powerful network traffic dump utility. Here’s an example of how to use it to watch for a specific packet type on a specific interface.

Print SYN but not SYN ACK packets
$ tcpdump -nn -i eth0 ‘tcp[13] & 0×12=0×02′

Print SYN or SYN ACK packets
$ tcpdump -nn -i eth0 ‘tcp[13] & 0×02=0×02′

Print FIN packets
$ tcpdump -nn -i eth0 ‘tcp[13] & 0×01=0×01′

Here’s a breakdown of how the previous commands work.

-nn Don’t convert host addresses or port numbers to names

-i eth0 Listen on interface

proto [ byte offset: size ]

Available proto (protocol) layers: ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp, tcp, udp, icmp, ip6 or radio.

Size (optional values: one, two, or four) defaults to one, and indicates the number of bytes for comparison.

Example: $ tcpdump -nn -i eth0 ‘tcp[13] & 0×12=0×02′

tcp[13] says use the data (one byte) inside the packet using the tcp protocol layer at byte offset 13 for comparison.”

& 0×12=0×02 says execute a bitwise AND operation against the bits 0001 0010 and match on the bits 0000 0010. It’s important to bitmask at least down to the control bits which reside at 0×3f or 0011 1111, as we are not interested in the presence of ECN bits (which contain ECE and CWR), and they may manipulate our comparison results.

& 0×3f=0×02 is more thorough than 0×12=0×02 (because it checks all of the control bits (0011 1111) rather than just 0001 0010) and can be used in its place. You can use the decimal value for the right side of the comparison (eg. 0×12=2), but I find it helpful to use the Hex value as you’re already using a Hex value for the bitmasking.

It should be noted that you can also use the available TCP flags field values: tcp-fin, tcp-syn, tcp-rest, tcp-push, tcp-ack, tcp-urg.

Print SYN but not SYN ACK packets
$ tcpdump -nn ‘tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack = 0′

But that’s not nearly as fun, right?

References:
TCP Header
Hexadecimal
Mask (computing)

Tags: ,
Posted in Work | No Comments »

Windows PowerShell Execution Policies

Wednesday, May 28th, 2008

Windows Powershell sets its Execution Policy to Restricted by default, which states that PowerShell can only be used in interactive mode (no scripts will run.) Use the Get-ExecutionPolicy cmdlet to check which execution policy is currently in-force.

$ Get-ExecutionPolicy

The following execution policy definitions are from Microsoft’s website:

  • Restricted – No scripts can be run. Windows PowerShell can be used only in interactive mode.
  • AllSigned – Only scripts signed by a trusted publisher can be run.
  • RemoteSigned – Downloaded scripts must be signed by a trusted publisher before they can be run.
  • Unrestricted – No restrictions; all Windows PowerShell scripts can be run.

To change the execution policy, use Set-ExecutionPolicy. The following will enable you to execute all PowerShell scripts.

$ Set-ExecutionPolicy Unrestricted

Tags: , ,
Posted in Work | No Comments »

Windows PowerShell – Recursively delete files and directories modified more than ‘n’ days ago.

Thursday, May 22nd, 2008

I was recently tasked with writing a script that recursively deletes files and directories modified more than ‘n’ days ago – here’s the kicker – using Windows. Many people have accomplished this with long VB Scripts. I was hoping for a much cleaner solution, and decided to try Windows PowerShell . I am quite impressed with Windows Powershell’s capabilities.

The following script recursively deletes files and directories modified more than 16 days ago.

# prune.ps1
$sticky = (Get-date).AddDays(-16)
$backupDir = "B:\backup"
echo "Recursively deleting files and directories written before $sticky"
Get-ChildItem $backupDir -Recurse | Where-Object { $_.LastWriteTime -lt $sticky } | Remove-Item -Recurse

Note that you can change Remove-Item -Recurse to Remove-Item -Whatif to “pretend” to delete files, and display potential deletes on STDOUT. You can also specify Remove-Item -Confirm.

I created a scheduled task that runs a .bat file containing the following:
powershell.exe c:\scripts\prune.ps1 >> c:\scripts\logs\prune.log

To watch and or view the output of the script, specify the -noexit switch on the command line.
powershell.exe -noexit c:\scripts\prune.ps1

Tags: , ,
Posted in Work | No Comments »

Software raid 1 – Failing and recovering a disk

Tuesday, April 29th, 2008

A software raid group disk failed in one of my servers yesterday.

The kernel was spewing SCSI errors:

kernel: ata2: status=0xd0 { Busy }
kernel: SCSI error : return code = 0×8000002

# mdadm --display /dev/md0
# mdadm --display /dev/md1

both reported a failed disk sdb*

The procedure to rebuild the md groups is as follows:

Replace bad disk (sdb in this scenario.) Note that if you do not bring down the server to replace the disk, be sure to “remove” the disk from the raid groups using mdadm.

# mdadm --remove /dev/md0 /dev/sdb0
# mdadm --remove /dev/md1 /dev/sdb1

Read the good disk’s partition table (sda in this scenario.)

# fdisk -l /dev/sda
Disk /dev/sda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/sda1 * 1 13 104391 fd Linux raid autodetect
/dev/sda2 14 19457 156183930 fd Linux raid autodetect

Install identical partition table on newly replaced disk. Create partitions that start and end on the same listed cylinders and are of type “fd.” Be sure to set the boot flag, and don’t forget to write the changes.

# fdisk /dev/sdb

Add partitions back to the appropriate raid groups.

# mdadm --add /dev/md0 /dev/sdb0
# mdadm --add /dev/md1 /dev/sdb1

Ensure the raid groups are rebuilding properly.

# mdadm --display /dev/md0
# mdadm --display /dev/md1

Tags:
Posted in Work | No Comments »

Searching and executing with find(1)

Thursday, April 17th, 2008

This afternoon I was faced with searching a directory tree for large files that have rotated within the last 24 hours – a symptom of a problem we were experiencing with a service.

Here’s what I put together quickly:

# find -iname name-\*.log -mtime 0 -exec du -sh {} \;

Explanation of the switches (from the find man page):

-iname pattern
Base of file name (the path with the leading directories removed) matches case insensitive shell pattern pattern

-mtime n
data was last modified n*24 hours ago.

-exec command {} \;
run the specified command on the matched files

It’s not complex (and probably not post-worthy,) but someone may find it helpful.

Tags:
Posted in Work | No Comments »