I have a problem with rsyslog.It works as a log collector for some devices. When I check with TCP dump i see bellow line is coming.
Facility user (1), Severity info (6)
Msg: 1 2014-01-26T15:21:25.345+03:00 XXX_XXX-Node1 [|syslog]
15:21:37.526894 IP (tos 0x0, ttl 245, id 36018, offset 0, flags [none], proto UDP (17), length 708) xxx.syslog > xxx.syslog: SYSLOG, length: 680
Length is 680. Before we upgrade the remote end it was same length and it was working fine. Nothing changed except version of remote end ( log sender ) But there is a strange [|syslog] entry there and i can not see the message.
Does anybody before hit kind of issue ? Do you have any ideas why it could happen ?
Thanks
Suner
By default tcpdump does not capture the entire packet. If you read the tcpdump man page, you'll find information about the -s option, which says:
-s Snarf snaplen bytes of data from each packet rather than the
default of 65535 bytes. Packets truncated because of a limited
snapshot are indicated in the output with ``[|proto]'', where
proto is the name of the protocol level at which the truncation
has occurred...
Your output contains [|syslog], which indicates the packet was truncated. Try specifying a larger value (e.g., tcpdump -s 1500 ...).
Related
AWS automatically changes the well known port numbers to name.
For example 554 to rtsp.
When I am installing iptable rules, with the port number as 554, its getting changed to rtsp. This is creating problem when searching because my program passes 554 as parameter.
How to make sure that the AWS doesn't change the number to name ?
In the picture we can see the dpt:rtsp, which actually should be dpt:554.
Perhaps you're looking for iptables --list -n? The -n prints "numeric output of addresses and ports."
I have pcap file which contains many DNS request and responses and i want to find the max value of ttl field from all of these packets for example:
If my pcap packets are the following:
DNS response ttl 1045
DNS response ttl 202
DNS response ttl 45
DNS response ttl 162
DNS response ttl 398
I want to find out how to recieve the value 1045 or even the packet itself.
It's all new to me so please try to explain carefully.
thanks for the helpers
To find the maximum TTL among packets from your pcap file, you could add a new TTL column and sort by this column.
To do this, you can right click on one of the column's name (e.g., Source), go to Column Preferences..., click the + sign at the bottom of the new window, and complete the new row that appeared with a title and dns.resp.ttl as the Fields option.
If you go back to the main Wireshark window, you should have a new column, which you can use to sort packets.
You can also accomplish this by using command-line tools, which I find to be faster and simpler, and depending on your needs, can also be scripted. For example:
tshark -r file.pcap -Y dns.resp.ttl -T fields -e dns.resp.ttl -E aggregator=/s | sort -nr | head -1
This command:
Utilizes the Wireshark command-line companion capture tool tshark to read the given file, filtering only for those packets containing a dns.resp.ttl field and then writing only that field to stdout, which is then piped to sort
sort is then instructed to conduct a reverse numeric sort (so highest-to-lowest value instead of the default lowest-to-highest) and pipe that output to head
head -1 will then display only the 1st line of output (instead of the default 10 lines), which will be the largest value ... probably*.
Refer to the tshark man page for more details about the options I used, such as -Y and -e, and to the sort and head man pages for more details about those commands.
*You should know that it's possible for some DNS packets to contain more than one occurrence of the dns.resp.ttl field, so this command may not always give you the largest overall value if the largest value happens to be contained within a packet with multiple occurrences of that field and where it isn't the first occurrence. This is also true for the Wireshark solution though. In other words, when you sort the column from high-to-low, the largest value may not necessarily be the first one if a packet contains multiple occurrences of the field because the sort only takes into account the value of the first occurrence.
I've checked the latest Scapy sources and there isn't any 802.1AD support, yet I have seen Scapy scripts referencing Dot1AD.
For the record, 802.1ad support was imported into Scapy master on July 30, 2016. So you don't need to get scapy-com (no longer maintained) and can use the "regular" Scapy. The associated layer is Dot1AD().
After some additional searching it turns out that Scapy community has created a fork of Scapy which supports 802.1AD. Here is a link. Scripts referencing Dot1AD use the scapy-com module.
You can do the following:
>>> packet = Ether(src='94:c6:91:1c:68:c3',dst='94:c6:91:1c:68:1d')
Then add a 802.1ad layer:
packet = packet/Dot1AD(vlan=20)
Then display the packet:
>>> packet.show()
###[ Ethernet ]###
dst= 94:c6:91:1c:68:1d
src= 94:c6:91:1c:68:c3
type= n_802_AD
###[ 802_1AD ]###
prio= 0
id= 0
vlan= 20
type= 0x0
The dev suggested to ask here to get more help.
This is what is happening, I bought a Raspberry Pi (second one, I know how to handle them, and I'm used to apt and ssh) and a Trendnet TFM561U modem, downloaded NOOBS, did the initial setup with an extra in the shape of Webmin. So far aside from Webmin, it's a vanilla Raspbian. I then downloaded JCblock ( http://sourceforge.net/projects/jcblock/ ) and following the instructions here http://weeklytechforum.com/2013/03/28/block-unwanted-calls-with-a-raspberry-pi/ I edited the files that needed editing and finally compiled. I found out what serial port the modem was using (same as the guide! cool) and finally proceeded to test it. That's where the trouble started.
The differences between me and the guide is that I'm in Italy, so the dev of JCblock made me edit the source with a few extra lines of code to talk to the modem... now it's a great time to point out that while I can edit code and recompile it, this is C and I absolutly have no clue about it, knowing just some basics from Pascal and a bit of Visual Basic, so in the end I'm editing the source blindly, just guessing where things need to go. Anyway the edits are to send the Country Code command: AT+GCI=59\r and Caller ID command: AT+VCID=1\r but we do not seem to be geting caller ID data from the modem.
What I'm expecting to see: I call with my cellphone (and that number is in the blacklist) the Raspberry doesn't make the phone ring, or in case of wrong configuration of the blacklist I get some output that will show a call not filtered.
What I get: the phone rings, the modem data light flashes, the program dosen't output anything.
Any help will be appreciated, thanks.
EDIT:
So, I went ahead and used NCID to see what would happen.
As it generates a cornucopia of data, I think it can be useful
Started: 10/27/2014 22:24:54
Server: ncidd (NCID) 1.0
API: 1.0 Feature Set 1 2 3 4
Command line: ncidd
-Dv3
Logfile: /var/log/ncidd.log
Processed config file: /etc/ncid/ncidd.conf
Verbose level: 3
Configured to send 'cidlog' to clients.
Configured to send 'cidinfo' to clients.
Helper tools:
/usr/bin/cidupdate
/usr/bin/ncidutil
Processed alias file: /etc/ncid/ncidd.alias
Alias Table:
Number of Entries: 1
Leading 1 from a call required in an alias definition
Calls in the blacklist file will be terminated
Processed blacklist file: /etc/ncid/ncidd.blacklist
Blacklist Table:
Number of Entries: 12
Calls in the whitelist file will not be terminated
Processed whitelist file: /etc/ncid/ncidd.whitelist
Whitelist Table:
Number of Entries: 0
CID logfile: /var/log/cidcall.log
CID logfile maximum size: 110000 bytes
Data logfile not present: /var/log/ciddata.log
Maximum number of clients/gateways: 25
Telephone Line Identifier: -
TTY port opened: /dev/ttyACM0
TTY port speed: 19200
TTY lock file: /var/lock/LCK..ttyACM0
TTY port control signals enabled
CallerID from AT Modem and optional gateways
Handles modem calls without Caller ID
Sent Modem 20 of 20 characters:
AT Z S0=0 E1 V1 Q0
Modem response: 26 characters in 1 read:
AT Z S0=0 E1 V1 Q0
OK
Try 1 to init modem: return = 0.
Modem initialized.
Sent Modem 6 of 6 characters:
ATI3
Modem response: 39 characters in 1 read:
ATI3
CX93001-EIS_V0.2002-V92
OK
Sent Modem 9 of 9 characters:
AT+GCI?
Modem response: 27 characters in 1 read:
AT+GCI?
+GCI: 59
OK
Sent Modem 13 of 13 characters:
AT+FCLASS=?
Modem response: 32 characters in 1 read:
AT+FCLASS=?
0,1,1.0,8
OK
Sent Modem 11 of 11 characters:
AT+VCID=1
Modem response: 17 characters in 1 read:
AT+VCID=1
OK
Modem set for CallerID.
Hangup option set to hangup on a blacklisted call
Modem used for CID and to terminate calls
Network Port: 3333
Debug Mode
Not using PID file, there was no '-P' option.
Modem is fd 4
NCID connection socket is sd 5 pos 1
RING
CIDINFO: *LINE*POTS*RING*1*TIME*22:25:21*
CIDINFO: *LINE*POTS*RING*0*TIME*22:25:33*
What I can tell from this, is that it should be properly set up to hang up for a blacklisted number (my cellphone, for testing purposes) and that no caller id gets to the software. About that, it's important to point out how we have a mess of different phones (make, model, cordless, wired...) at home, and all of them do show 1 missed call from me. So at least I can confirm that the caller id is being sent.
I looked on Trendnet TFM561U description page and Amazon for this modem and didn't see "caller ID" in the description.
Your modem looks like it has Caller ID because its response to the activate caller ID command is "OK":
AT+VCID=1
OK
But looking at
Testing Modem Caller ID Support with HyperTerminal (or Putty) page
However, if, in step 8), the modem responded with "OK", then you probably have the correct string. In this case, either your phone line does not have caller id enabled (this can be tested with a hardware caller id device), or the modem does not support caller id. The latter is possible even if, in step 8), the modem responded with "OK", since many modems use the same firmware regardless of whether the modem contains the appropriate caller id hardware. In other words, many modems don't know whether they have caller id support!
I would say return your modem and get one that has "caller ID" in the description.
I used wireshark to collect data from some sites, and then used tcpdump to get it as a text file. For the project I'm working on, I want to count how many DNS resolutions are involved in accessing a particular website, and what the nature of the DNS responses was. The problem is I don't really understand the output from wireshark or how to interpret it to find what I'm looking for. For instance, here is a line:
21:08:05.454852 IP 10.0.0.2.57512 > ord08s09-in-f21.1e100.net.https:
Flags [.], seq 1:1419, ack 55, win 65535, options [nop,nop,TS val
1348891674 ecr 2473250009], length 1418
What do the different parts of this mean, and what will the data I'm looking for look like? I'm worried I might be using Wireshark incorrectly without knowing it.
I used wireshark to collect data from some sites, and then used tcpdump to get it as a text file.
Most people who use both tools use them for the opposite purposes. :-) I.e., they use tcpdump to capture traffic into a file and then read the file with Wireshark. If you're only using Wireshark to capture traffic, that's probably overkill - you can do the same thing with dumpcap or possibly even tcpdump.
The output you're showing is text output, so, if you "used tcpdump to get it as a text file", it's output from tcpdump, not from Wireshark; text output from Wireshark would look different. If you "used wireshark to collect data from some sites, and then used tcpdump to get it as a text file", the output from Wireshark is either a pcap file or a pcap-ng file, which is a binary file, and is completely uninterpreted raw data. The interpretation of the data in your example is being done by tcpdump, not Wireshark.
What the output is saying is:
"21:08:05.454852": the packet arrived at 21:08:05 and a fraction of a second, local time.
"IP": the packet is an IPv4 packet.
"10.0.0.2.57512 > ord08s09-in-f21.1e100.net.https": the packet is from IP address 10.0.0.2, port 57512, to the IP address whose for which the host name is "ord08s09-in-f21.1e100.net", and the port for "https", which is port 443.
See the tcpdump man page, and a description of TCP, for details on the rest of the line.
The key point here is that this is NOT DNS traffic! It's probably "HTTP-over-SSL", or "https", traffic.
In tcpdump, DNS traffic would look like
11:06:25.247272 IP 10.0.1.3.50953 > 10.0.1.1.domain: 7088+ A? www.kernel.org. (32)
11:06:25.282723 IP 10.0.1.1.domain > 10.0.1.3.50953: 7088 3/0/0 CNAME pub.us.kernel.org., A 149.20.4.69, A 198.145.20.140 (85)
or
11:06:30.622744 IP 10.0.1.3.62767 > 10.0.1.1.domain: 2439+ A? e3191.c.akamaiedge.net.0.1.cn.akamaiedge.net. (62)
11:06:30.639279 IP 10.0.1.1.domain > 10.0.1.3.62767: 2439 1/0/0 A 184.85.109.15 (78)
"A?" means that a query is being done for an A record; "CNAME" means that a CNAME record is being returned (i.e., "www.kernel.org" is an alias for "pub.us.kernel.org", and "A" means that an A record is being returned, giving an IPv4 address.
In Wireshark or TShark, it would look like:
12.316361 10.0.1.3 -> 10.0.1.1 DNS Standard query 0xc2fa A 1.courier-sandbox-push-apple.com.akadns.net
12.332894 10.0.1.1 -> 10.0.1.3 DNS Standard query response 0xc2fa A 17.149.34.59 A 17.149.34.61 A 17.149.34.62 A 17.149.34.63 A 17.149.34.57
or
15.163941 10.0.1.3 -> 10.0.1.1 DNS Standard query 0x168c A www.gnu.org
15.176266 10.0.1.1 -> 10.0.1.3 DNS Standard query response 0x168c CNAME wildebeest.gnu.org A 208.118.235.148
If you're only trying to capture DNS packet, you should use a capture filter such as "port 53" or "port domain", so that non-DNS traffic will be discarded. That filter will work with Wireshark, TShark, or tcpdump (as they use the same libpcap code for packet capture).