Jump to content

About This Club

This is a high level of everything network related
  1. What's new in this club
  2. When using SNMP v3 it's important you use the correct Security Mechanisms to keep your devices safe. The quick and short of it is to be the most secure you should be using SNMPv3 Auth = MD5 Priv = AES Different passwords for each MD5 - Specifies the Message-Digest 5 algorithm, a widely used cryptographic hash function with a 128-bit hash value. This is the default value. SHA - Specifies the Secure Hash Algorithm, a set of related cryptographic hash functions. SHA is considered to be the successor to MD5. User-based Authentication Mechanism is based on the following: MD5 message digest algorithm in HMAC Directly provides data integrity checks Indirectly provides data origin authentication Uses private key known by sender and receiver 16-byte key 128-bit digest (truncates to 96 bits) SHA, an optional alternative algorithm Loosely synchronized monotonically increasing time indicator values defend against certain message stream modification attacks Select either the AES or DES protocol from the drop-down list. AES uses the AES128 algorithm. The AES 128-bit cipher algorithm is a stronger encryption protocol than the current Data Encryption Standard (DES) 56-bit algorithm. AES is a symmetric cipher algorithm that the National Institute of Standards (NIST) selects to replace DES. RFC 3826, The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP User-based Security Model (USM), specifies that Cipher Feedback Mode (CFB) mode is to be used with AES encryption. User-based Privacy Mechanism is based on the following: Data Encryption Standard (DES) Cipher Block Chaining (CBC) mode Provides data confidentiality Uses encryption Subject to export and use restrictions in many jurisdictions Uses 16-byte key (56-bit DES key, 8-byte DES initialization vector) known by sender and receiver Multiple levels of compliances with respect to DES due to problems associated with international use Triple Data Encryption Standard (Triple DES) Advanced Encryption Standard (AES) (128, 192, and 256, bit keys) SNMPv3 provides the following configuration possibilities. (Note: availability depends on export restrictions.) No authentication and no privacy (noAuthNoPriv) - usually for monitoring Authentication and no privacy (authNoPriv) - usually for control Authentication and privacy (authPriv) - usually for downloading secrets
  3. You can use this link to find out the Chain that your cert/key are pinned to If your cert is encrypted with a password you'll need to decrypt it Enter the unencrypted cert here to find what chain is linked to your cert https://www.sslshopper.com/certificate-decoder.html
  4. Source Port and Destination Port fields together identify the two local end points of the particular connection. A port plus its hosts' IP address forms a unique end point. Ports are used to communicate with the upper layer and distinguish different application sessions on the host. The Sequence Number and Acknowledgment Number fields specify bytes in the byte stream. The sequence number is used for segment differentiation and is useful for reordering or retransmitting lost segments. The Acknowledgment number is set to the next segment expected. Data offset or TCP header length indicates how many 4-byte words are contained in the TCP header. The Window field indicates how many bytes can be transmitted before an acknowledgment is received. The Checksum field is used to provide extra reliability and security to the TCP segment. The actual user data are included after the end of the header.
  5. You first have to setup Wireshark I click on Wireshark - Preferences and click on Advanced and search / verify the below matches ip.defragment: TRUE tcp.check_checksum: FALSE tcp.desegment_tcp_streams: TRUE ssl.desegment_ssl_records: TRUE ssl.desegment_ssl_application_data: TRUE you can simply type ssl and press enter to see ssl traffic Look for Client Hello and expand Secure Socket Layer
  6. 1994 - SSLv1 by Netscape (unreleased) 1994 - SSLv2 by Netscape (v2-draft) 1995 - SSLv3 by Netscape (v3-draft) 1999 - TLSv1.0, IETF (RFC 2246) 2006 - TLSv1.1, IETF (RFC 4346) 2008 - TLSv1.2, IETF (RFC 5246) 2016 - TLSv1.3, IETF (draft 16)
  7. What does DKIM stand for? DKIM (DomainKeys Identified Mail) is an important authentication mechanism to help protect both email receivers and email senders from forged and phishing email. It provides a method for validating a domain name identity that is associated with a message through cryptographic authentication. Example of a DKIM TXT Record test._domainkey.thezah.com How to test your DKIM TXT record dig +short test._domainkey.thezah.com TXT Also look at the article about SPF records
  8. Ethernet eth.addr eth.dst eth.src eth.ig eth.len eth.lg eth.multicast eth.trailer eth.type IEEE 802.1Q vlan.cfi vlan.etype vlan.id vlan.len vlan.priority vlan.trailer IPv4 ip.addr ip.checksum ip.checksum_bad ip.checksum_good ip.dsfield ip.dsfield.ce ip.dsfield.dscp ip.dsfield.ect ip.dst ip.dst_host ip.flags ip.flags.df ip.flags.mf ip.flags.rb ip.frag_offset ip.fragment ip.fragment.error ip.fragment.multipletails ip.fragment.overlap ip.fragment.overlap.conflict ip.fragment.toolongfragment ip.fragments ip.hdr_len ip.host ip.id ip.len ip.proto ip.reassembled_in ip.src ip.src_host ip.tos ip.tos.cost ip.tos.delay ip.tos.precedence ip.tos.reliability ip.tos.throughput ip.ttl ip.version IPv6 ipv6.addr ipv6.class ipv6.dst ipv6.dst_host ipv6.dst_opt ipv6.flow ipv6.fragment ipv6.fragment.error ipv6.fragment.more ipv6.fragment.multipletails ipv6.fragment.offset ipv6.fragment.overlap ipv6.fragment.overlap.conflict ipv6.fragment.toolongfragment ipv6.fragments ipv6.fragment.id ipv6.hlim ipv6.hop_opt ipv6.host ipv6.mipv6_home_address ipv6.mipv6_length ipv6.mipv6_type ipv6.nxt ipv6.opt.pad1 ipv6.opt.padn ipv6.plen ipv6.reassembled_in ipv6.routing_hdr ipv6.routing_hdr.addr ipv6.routing_hdr.left ipv6.routing_hdr.type ipv6.src ipv6.src_host ipv6.version ARP arp.dst.hw_mac arp.dst.proto_ipv4 arp.hw.size arp.hw.type arp.opcode arp.proto.size arp.proto.type arp.src.hw_mac arp.src.proto_ipv4 TCP tcp.ack tcp.checksum tcp.checksum_bad tcp.checksum_good tcp.continuation_to tcp.dstport tcp.flags. UDP Frame Relay PPP MPLS ICMP ICMPv6 DTP VTP RIP BGP HTTP
  9. TLS 1.1 and 1.2 not supported: Internet Explorer (6-8 for Windows Server 2003, 7–9 for Windows Vista / Server 2008), Safari 6 for Mac OS X 10.8 TLS 1.1 and 1.2 supported, but disabled by default: Internet Explorer (8–10 for Windows 7 / Server 2008 R2, 10 for Windows 8 / Server 2012, IE Mobile 10 for Windows Phone 8) To enable TLS... Click the gear/tools Go into Internet Options, then on Advanced tab check the box for TLS1.2. Check Out Wikipedia for more info
  10. The question title pretty much says it all but what appears to be an international standard as of today is TLS 1.2 and I noticed many users not able to connect to the site now that we switched. I am assuming it could be because there browser may not support TLS 1.2 so I'm asking do you know what browsers do support TLS 1.2 and which Internet browsers don't support TLS 1.2?
  11. A common step in troubleshooting is finding out what not to troubleshoot. With a packet capture you can confirm things such as routing, firewall rules, and remote services. Layer 1[/b] hardware is probably on and functioning Layer 2 Addressing is likely working Layer 3 Routing would appear to be working Layer 4 Transport is likely working Layer 5(Session), Layer 6(presentation) and Layer 7(application) might not be working at this point, but you’ve ruled out several things that don’t need to be tested. You can do detailed packet captures that look for additional information to verify if layers 5,6 and 7 are working, but this should save you some time to know that layers 1-4 are operational. It’s possible that intermittent errors, or bandwidth related errors could be hiding, and a packet capture can still help you find this type of error too. Here are some tcpdump notes. Basic tcpdump flags [table][tr][td]-i [/td] [td]Specify which intterface to capture, defaults to lowest numbered interface[/td][/tr] [tr][td]-q[/td] [td]Quick output. Print less protocol information so output lines are shorter, easier to read.[/td][/tr] [tr][td]-X[/td] [td]Show binary and hex data[/td][/tr] [tr][td]-n[/td] [td]Do not perform DNS lookup, just show the IP[/td][/tr] [tr][td]-v[/td] [td]Show additional information, -vv shows more, -vvv shows even more[/td][/tr] [tr][td]-s [/td] [td]Size of the Packet, (-s 1514)[/td][/tr] [tr][td]-S[/td] [td]Print absolute, rather than relative TCP sequence numbers[/td][/tr] [tr][td]src (net)[/td] [td]The source IP of the filter (src src net can be used to specify a network, in CIDR: (dst net[/td][/tr] [tr][td]dst (net)[/td] [td]The destination IP of the filter (dst dst net can be used to specify a network, in CIDR: (dst net[/td][/tr] [tr][td](src|dst) port[/td] [td]which port specifically, can be named ports, or specific port. (dst port 80)[/td][/tr] [tr][td]-w [/td] [td]The name of the file to write out your packet capture to (-w filename.cap)[/td][/tr] [tr][td]and[/td] [td]combine filters (and src net[/td][/tr] [tr][td]not[/td] [td]negate filters (and not dst port 22)[/td][/tr][/table] tcpdump filter examples Here is a list of several ways to build filters, and some of the more common ways that you might want to view data. tcpdump -nS Very basic communication. tcpdump -nnvvS Basic, verbose communication. tcpdump -nnvvXS Get the packet payload, but that’s all tcpdump -nnvvXSs 1514 Full packet capture with all details tcpdump host Show traffic to and from tcpdump src Show all traffic from tcpdump dst Show all traffic to tcpdump net Look at traffic to and from tcpdump port 3389 Remote Desktop example tcpdump udp and src port 53 specify protocol combined with src port (DNS filter example) tcpdump portrange 1000-2000 Do you need an explanation? If so, perhaps another article is better for you. tcpdump -i any -nnvvXSs 1514 -c 100 src port 443 -w capturefile Capturing full packet, fully verbose, limit to 100 of them, with IP and port filter, write to capturefile for later analysis. tcpdump -nnvvXSs 1514 src net and dst net not dst port 22 Like previous tcpdump filter, but also limiting between 2 networks, and ignoring port 22 3 way Handshake Troubleshooting With tcpdump We are able to confirm routing, firewall rules, and remote service response by looking at the type of packet that comes back: tcpdump ‘tcp[13] & 2!=0’ SYN messages tell us that at least our client is sending it’s initial outbound message. If that’s all we see, then nothing is coming back and routing could be bad, or the remote server could be down. tcpdump ‘tcp[13] & 16!=0’ ACK is the acknowledge message. We can see that the traffic is going all the way to and from the client/server and the server is responding. tcpdump ‘tcp[13]=18’ SYN ACK packets shows active communication between client and server. Routes, ACLs, and Firewall rules are good. tcpdump ‘tcp[13] & 4!=0’ RST packets. RST packets are sent back from the service, so at least you know the path is good and not blocked by an ACL or firewall. tcpdump ‘tcp[13] & 1!=0’ FIN packets. FIN packets are sent back from the service, so you also know path and firewall or ACL rules are not blocking. tcpdump Statistics Often, on a network a few hosts will be infected, but it’s hard to tell which ones those hosts are. Here is a quick method to help you determine who is spewing the most traffic: First, get a packet capture of the data that is of interest to you, you can get basic packets, or all of it if you want to review it later. In my example I want to review it later, so I’m capturing the entire packet, with a bit of detail: # tcpdump -i any -nn -X -vv -s 1514 -c 1000 -w packetcap.cap Next run it through awk to display some statistical information: # tcpdump -nr packetcap.cap | awk '{print }' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sort | uniq -c | sort -n
  12. Wouldn’t surprise me if a firewall along the way was blocking ICMP (ping) since most applications actually only need certain ports open to function. Ping is not a very reliable testing mechanism to validate if something is up and working. Simple test that everyone has access to is telnet (ex. telnet ipaddress:port) to validate the path is open all the way through. Of course my favorite is either tcptraceroute ipaddress port (which performs a traceroute and validates every hop has that port open and if anywhere that port is blocked you can see. Others prefer using traceroute ipaddress –T –p port -T stands for TCP That is a long way of saying, I would suggest finding what port the server is expecting and try one of the above functions to test if the server is up and working.
  13. this is a great tool that I highly recommend using when troubleshooting. Most importantly its reliable. Here is an example of being able to test a https URL redirect curl -ksI https://zahsystems.com -k = process https (443). (SSL) This option explicitly allows curl to perform "insecure" SSL connections and transfers. All SSL connections are attempted to be made secure by using the CA certificate bundle installed by default. This makes all connections considered "insecure" fail unless -k, --insecure is used. -s = Silent or quiet mode. Don't show progress meter or error messages. Makes Curl mute. It will still output the data you ask for, potentially even to the terminal/stdout unless you redirect it. -I = (HTTP/FTP/FILE) Fetch the HTTP-header only! HTTP-servers feature the command HEAD which this uses to get nothing but the header of a document. When used on an FTP or FILE file, curl displays the file size and last modification time only. The results HTTP/1.0 302 Found Location: https://dj-direct.int.zahsystems.com/consumerdirectadmin/home.action Server: BigIP Connection: Keep-Alive Content-Length: 0
  14. It sure would be helpful to find out what actual network/bandwidth speed is versus relying on other tools. Utilize Wireshark to monitor your network card to get an accurate representation of your bandwidth. If you have a trace running as you download a file go to Statistics - IO Graph draw a graph in the outbound direction only. Change the Y-axis to bits/tick if you want to see bandwidth. Maybe you are using a Linux system or just like using tcpdump. TCPdump doesn't give you the real-time stats but you can feed it's output to something that does. You'd need to add a suitable filter expression at the end of the tcpdump command to only include the traffic generated by your app (e.g. port 80) The program netbps is this: It's just an example, adjust to taste.
  15. When someone complains of having a network issue, it would be helpful if they run the following commands and supply the person troubleshooting the network the output of these commands. UNIX/Linux Environment : ifconfig -anetstat -rn netstat -v Windows Environment: ipconfig /allnetstat -r netstat -e netstat -s
  16. What is NNMi (NETWORK NODE MANAGER i)? Unify fault, availability, and performance monitoring. This network management software helps you improve network uptime and performance, and increase responsiveness to business needs. Note: hostnames in NNMi must match what is in DNS (very case sensative)
  17. When you are having issues connecting to a site all of a sudden, more than likely the site has performed an update and your browser is using its local cache trying to connect so you need to clear it out. This way your browser will download the updated information. Internet Explorer Internet Options - General Tab - Under Browsing History click Delete.. - select everything but Download History, Passwords and ActiveX Filtering aren't necessary if you don't want), - Click Delete Firefox Tools - Options - Privacy - clear your recent history Time range to clear: Everyting Details: Select what you want (more is better but mainly cache and cookies is a must) Click Clear Now
  18. Trying to discover hosts in a subnet from a linux box and here is what I came up with so far Using a BASH script: subnet=192.168.2. addr=1 while [ $addr -lt 256 ]; do ping -c 1 -t 1 $subnet$addr > /dev/null && echo Found $subnet$addr let addr=addr+1 done OR this script may work better subnet=192.168.2. for addr in `seq 1 1 255 `; do ( ping -c 1 -t 1 $subnet$addr > /dev/null && echo Found $subnet$addr ) & done OR even ping the broadcast address like this ping -b OR use arp-scan (if loaded) sudo arp-scan -I eth0 OR utilize nmap (one of my favorite discovery tools) nmap -v -sP OR even another script FOR /L %i IN (1,1,254) DO ping -n 1 10.254.254.%i | FIND /i “Reply”>> ipaddresses.txt
  19. Wireshark is my preferred method of capturing files but it does take more resources (CPU and Memory) then a command line based tool like tcpdump. It would be best to look at the manpage for all the options but I will give you the example below that I use on a regular basis which will continuously create 20Mb files and once 1000 files get created it will begin overwriting files. sudo tcpdump -i eth0 -nnvv -w /home/hosangit/captures/ustrocapture.log -W 1000 -C 20,000,000 Now that you have all these files here are a few tools you can use to analyze the data Wireshark tshark (tshark -i eth0 -b filesize:20000 -b files:1000 -n -t ad -w /home/hosangit/captures/filename.cap) tcpdstat ipsumdump Netdude I will include examples with each of these as I put them together with some screen shots.
  20. Request from user: You pretty much described Solarwinds Orion. You would have to purchase some add-ons they offer for all the functionality but I would say they can do about 90% of what you are looking for at a very low price and very little hardware (in comparison to the alternatives). Extensions you would have to add include : Netflow Traffic Analyzer This extension will add the ability to collect and analyze netflow traffic Application Performance Monitor This extension will help you monitor your application performance Network Configuration Management This extension integrates with Orion and helps keep an eye and archive your network configurations (like your configs on your network hardware) Orion itself lets you have unlimited custom fields for your nodes, when you search you can search on those custom fields or anywhere... its all in a sql database so its searchable. You can create a map but it doesn't (as far as I know) automatically add devices to the map based on the devices mailing address. Now that would be awesome!
  21. Guest


    Another nice part of Solarwinds is you can keep your Custom Properties updated offline via a spreadsheet and then import the changes all at once. What is SolarWinds Orion Custom Properties you ask? This allows you to track anything relevant to that node or interface. For example I have 1000+ nodes but only a couple are at a specific address and I want to track location, create custom properties: street_address1 street_address2 city state country postal_code Now you can search/sort which nodes are in which city, state, country, postal code... you can also include these custom properties in your alerts so you can provide the shipping address to a vendor that needs to ship out a replacement part without needing a computer. Custom Properties can be anything, region, contact1 name, contact1_role, contact1 email, contact1 home#, contact1 cell# (include contact information in your alerts so you know who to call from the site to confirm issues or to be available for testing) Maybe include the building#, floor#, closet# for each node so you can quickly find the device. Another idea is to include WAN provider information, WAN_Vendor, WAN_CircuitID, WAN_CircuitSpeed.... So first, lets assume you already have some Custom Properties defined but want to update the information on missing items. EXPORT SOLARWINDS CUSTOM PROPERTIES Log into the server that is running Solarwinds Orion Click on Start - All Programs - SolarWinds Orion - Grouping and Access Control - Custom Property Editor Click on Nodes Click File - Export - Export to Excel (this creates an .xls file and the columns with the text in blue are the columns that are custom properites)
  22. Guest


    If you want to Monitor Cisco Power Add OID Power supplies and total switch load you can get it here - Port POE values you can find everything you need under here -
  23. What a great network sanity tool that has proven itself time and time again. The price is less then the big names but I found after using it for several years side by side with some big names (Opsware, Netcool, eHealth) that Solarwinds is far more flexible, easier to use and the customization is fantastic. To demonstrate how easy it is to add a new device to be monitored, I'm going to show you below by using only the web interface. Before you get to far, be sure an Admin grants your ID the access to manage nodes STEP ONE.. enter the URL of the Solarwinds server and enter your login information. STEP TWO.. click on Manage Nodes (doesn't matter under what title (example Exchange Servers) because it brings you to the same place. STEP THREE.. Now you are presented with the Manage Nodes screen which should look like the below. Go ahead and click Add STEP FOUR.. Define the information about your Node (IP Address, SNMP string(s)) and click Next STEP FIVE.. If you have the SNMP string and it validated when you clicked next, pick the resources from the object you want to monitor (CPU, MEMORY, INTERFACE(S), HARD DRIVE, etc..) On a switch I like to monitor the interfaces/ports the WAN router(s) are plugged into, server(s) and any critical devices to include uplinks to other switches. I just don't monitor users or printers. STEP SIX.. Pick the poller(s) to use to monitor your device (you can have multiple pollers with Solarwinds to help reduce the load on the server. Some like to use a poller per region or business unit. Its not needed but nice to have multiple pollers.) STEP SEVEN.. Enter your custom property definitions. This is fully customizable from the server but you can add anything you want to track or group nodes together. So for example, switch location (city, state, country). This allows you to quickly find all the nodes in a city, state or country. I also use the custom fields for contact information so when a node goes down it sends a page with the address, contact1 info, contact2 info and some other useful information in the event I'm not near a computer to look it up. Some pre-planning if you are using Solarwinds to help you out in the future. 1.) When installing a switch, take the time and make sure the switchport descriptions are short and accurate. Come up with a naming standard that you could use Globally. Solarwinds will pull the switchport descriptions automatically and if you already did the work ahead of time you will save yourself a lot of time from adding alias's to the switchports later. 2.) Also when configuring the switch ensure you have SNMP Read-Only access as well as the Syslog Messages forwarded to your Solarwinds Server. This will make troubleshooting a site or hardware faster and easier. Also in the event of hardware failure, you'll have some final syslog messages from that device that could help identify what happened. 3.) Depending on the hardware, enable Netflow. This comes in handy when you are trying to find top talkers or bandwidth utilization on the WAN circuit. This requires a Solarwinds Add-on Module but is highly recommended and does provide some very useful information all in one place, your Solarwinds Network Monitoring Tool.
  24. I pay for internet for my building but not a big fan of users not in the building using my purchased internet. Everytime I travel and stay in a hotel or am at the airport, I have am presented a login the minute I launch my browser. What a great solution, I would like to implement the same thing in my building. So what do you need to keep this inexpensive as much as possible... Ubuntu Server or Desktop (these instructions were tested using Server version 8.04). A x86 machine with two network cards (this could be an old laptop, desktop, whatever). Defining some stuff: is the private network that everyone will get an IP address from which means to .254 are valid IP addresses with a subnet mask of (probably a bit too much information but I'm sharing it anyhow). The ubuntu server will be supplying the IP addresses (acting as the DHCP server) so if you access point is currently doing that task... turn off the feature of being the DHCP server. is the internal network that is hot to the internet. So your desktop will have two network interface cards (NICs) and we will label them as such: eth0 = This will be the internet hot address (most of the time this is setup to receive an IP address from your Internet provider or possbily another Linksys Router that is connected to the internet. eth1 = Private network (this will not be assigned an IP address and will be the interface that will be handing out IP addresses to clients that wish to access the internet) Note: This solution does not work well under VMWare Server or Workstation. I spent many hours trying to get this to work under VMWare and never had success and the first time I tried this on a dedicated old piece of doo doo, it worked fine. Let's begin the installation... 1st download the .iso from Ubuntu and burn that to a CD and go ahead and follow the prompts to install (when tasksel launches asking you to install option components, you can go ahead and select LAMP and SSH Server)... you'll need these. Now the rest of the instructions for ChillispotHotspot can be found here
  25. Use with a straight DB9?s wired pins 1 ? 8 in relation to the RJ45 1,2,3,4,5,6,7,8 Use with a normal patch cable. Tie the Blue (1) and the Yellow (6) from the RJ45 together and stick it in pin 4 of the DB9. Take the Red (4) and tie it to two short leads going to pin (1) and (6) of the DB9
  26. Version 6.2 OS Type in these commands as they appear. top system cdb backup Transfer successful CDB backup was successful up batch create Transfer successful Batch file created successfully Move these files from your C:TFTPBoot directory to the appropriate CDB Backup folder. The F1_CDB_xxxxx is the file name saved to the PC. Replace F1 for Forge Fabric 1 with F2, F3, G1, for Gear Fabric 1 and R1 for Rochester Fabric 1.
  • Create New...