Print SYN but not SYN ACK packets
$ tcpdump -nn -i eth0 ‘tcp[13] & 0×12=0×02′

Print SYN or SYN ACK packets
$ tcpdump -nn -i eth0 ‘tcp[13] & 0×02=0×02′

Print FIN packets
$ tcpdump -nn -i eth0 ‘tcp[13] & 0×01=0×01′

Here’s a breakdown of how the previous commands work.

-nn Don’t convert host addresses or port numbers to names

-i eth0 Listen on interface

proto [ byte offset: size ]

Available proto (protocol) layers: ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp, tcp, udp, icmp, ip6 or radio.

Size (optional values: one, two, or four) defaults to one, and indicates the number of bytes for comparison.

Example: $ tcpdump -nn -i eth0 ‘tcp[13] & 0×12=0×02′

tcp[13] says use the data (one byte) inside the packet using the tcp protocol layer at byte offset 13 for comparison.”

& 0×12=0×02 says execute a bitwise AND operation against the bits 0001 0010 and match on the bits 0000 0010. It’s important to bitmask at least down to the control bits which reside at 0x3f or 0011 1111, as we are not interested in the presence of ECN bits (which contain ECE and CWR), and they may manipulate our comparison results.

& 0x3f=0×02 is more thorough than 0×12=0×02 (because it checks all of the control bits (0011 1111) rather than just 0001 0010) and can be used in its place. You can use the decimal value for the right side of the comparison (eg. 0×12=2), but I find it helpful to use the Hex value as you’re already using a Hex value for the bitmasking.

It should be noted that you can also use the available TCP flags field values: tcp-fin, tcp-syn, tcp-rest, tcp-push, tcp-ack, tcp-urg.

Print SYN but not SYN ACK packets
$ tcpdump -nn ‘tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack = 0′

But that’s not nearly as fun, right?

References:
TCP Header
Hexadecimal
Mask (computing)

$ Get-ExecutionPolicy


The following execution policy definitions are from Microsoft’s website:

• Restricted – No scripts can be run. Windows PowerShell can be used only in interactive mode.
• AllSigned – Only scripts signed by a trusted publisher can be run.
• RemoteSigned – Downloaded scripts must be signed by a trusted publisher before they can be run.
• Unrestricted – No restrictions; all Windows PowerShell scripts can be run.

To change the execution policy, use Set-ExecutionPolicy. The following will enable you to execute all PowerShell scripts.

$ Set-ExecutionPolicy Unrestricted

The following script recursively deletes files and directories modified more than 16 days ago.

# prune.ps1
$sticky = (Get-date).AddDays(-16)
$backupDir = "B:\backup"
echo "Recursively deleting files and directories written before $sticky"
Get-ChildItem $backupDir -Recurse | Where-Object { $_.LastWriteTime -lt $sticky } | Remove-Item -Recurse


Note that you can change Remove-Item -Recurse to Remove-Item -Whatif to “pretend” to delete files, and display potential deletes on STDOUT. You can also specify Remove-Item -Confirm.

I created a scheduled task that runs a .bat file containing the following:
powershell.exe c:\scripts\prune.ps1 >> c:\scripts\logs\prune.log

To watch and or view the output of the script, specify the -noexit switch on the command line.
powershell.exe -noexit c:\scripts\prune.ps1

The kernel was spewing SCSI errors:

kernel: ata2: status=0xd0 { Busy }
kernel: SCSI error : return code = 0×8000002

# mdadm --display /dev/md0
# mdadm --display /dev/md1

both reported a failed disk sdb*

The procedure to rebuild the md groups is as follows:

Replace bad disk (sdb in this scenario.) Note that if you do not bring down the server to replace the disk, be sure to “remove” the disk from the raid groups using mdadm.

# mdadm --remove /dev/md0 /dev/sdb0
# mdadm --remove /dev/md1 /dev/sdb1

Read the good disk’s partition table (sda in this scenario.)

# fdisk -l /dev/sda
Disk /dev/sda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/sda1 * 1 13 104391 fd Linux raid autodetect
/dev/sda2 14 19457 156183930 fd Linux raid autodetect

Install identical partition table on newly replaced disk. Create partitions that start and end on the same listed cylinders and are of type “fd.” Be sure to set the boot flag, and don’t forget to write the changes.

# fdisk /dev/sdb

Add partitions back to the appropriate raid groups.

# mdadm --add /dev/md0 /dev/sdb0
# mdadm --add /dev/md1 /dev/sdb1

Ensure the raid groups are rebuilding properly.

# mdadm --display /dev/md0
# mdadm --display /dev/md1

Here’s what I put together quickly:

# find -iname name-\*.log -mtime 0 -exec du -sh {} \;

Explanation of the switches (from the find man page):

-iname pattern
Base of file name (the path with the leading directories removed) matches case insensitive shell pattern pattern

-mtime n
data was last modified n*24 hours ago.

-exec command {} \;
run the specified command on the matched files


It’s not complex (and probably not post-worthy,) but someone may find it helpful.