BSD: Networking Included

These are some every-day techniques that I use to get stuff done.

BSD Kernels track Duplicate IPs

The BSD kernels keep track of MAC-IP resolutions, and will log any changes. It's a good habit to check this after plugging your own laptop into a network. More than once I have plugged my Thinkpad into a network and broken some service because their DHCP server gave me an address that was already used.

$ dmesg ... duplicate IP address 31.6.2.3 sent from ethernet address 00:13:72:a7:ff:14 duplicate IP address 31.6.2.3 sent from ethernet address 00:13:72:a7:ff:14 duplicate IP address 31.6.2.11 sent from ethernet address 00:13:72:a7:f9:04 duplicate IP address 31.6.2.11 sent from ethernet address 00:13:72:a7:f9:04

Run Daemons as Foreground Processes

Most BSD network daemon can be run in the foreground, which not only gives you the ability to easily test a service again, but you may notice oddities immediately. Below is an example of a site that was configured with two competing DHCP servers.

$ doas dhclient -d fxp0 DHCPREQUEST on fxp0 to 255.255.255.255 port 67 DHCPNAK from 31.6.1.4 DHCPDISCOVER on fxp0 to 255.255.255.255 port 67 interval 7 DHCPOFFER from 31.6.1.4 DHCPOFFER from 31.6.1.3 DHCPREQUEST on fxp0 to 255.255.255.255 port 67 DHCPACK from 31.6.1.4 bound to 31.6.2.11 -- renewal in 345600 seconds.

Resolve Common Ports

/etc/services is a handy reference for common protocols.

$ grep 138 /etc/services netbios-dgm 138/tcp # NETBIOS Datagram Service netbios-dgm 138/udp

I also sometimes document an assignment by defining in /etc/services , so that I know what port is used, especially on proprietary systems.

coral 11001/tcp # Coral PBX management with CUGW

Quickly Find Proxy-Arp

This is insane; sometimes home-office routers are installed that have proxy-ARP enabled by default!(Linksys VPN routers come to mind.) A quick look at the ARP table will show this.

$ arp -a ? (192.168.1.36) at 00:0c:6e:41:e1:56 on xl2 ? (192.168.1.43) at 00:0c:6e:41:e1:56 on xl2 ? (192.168.1.46) at 00:0c:6e:41:e1:56 on xl2 ? (192.168.1.49) at 00:0c:6e:41:e1:56 on xl2 ? (192.168.1.51) at 00:0c:6e:41:e1:56 on xl2 ? (192.168.1.56) at 00:0c:6e:41:e1:56 on xl2 ? (192.168.6.38) at 00:50:ba:58:9e:64 on xl1 ? (192.168.6.13) at 00:11:09:c5:cb:8b on xl1 ? (192.168.6.17) at 00:13:72:d3:da:94 on xl1 ? (192.168.6.18) at 00:0a:6b:00:a5:8b on xl1

Finding the Gateway

Most ARP requests will come from the gateway on a given subnet. The volume of requests make it easy to find the gateway.

$ doas tcpdump -n arp tcpdump: listening on rl0, link-type EN10MB 20:20:13.080158 arp who-has 192.168.168.199 tell 192.168.168.36 20:20:18.584708 arp who-has 192.168.168.191 tell 192.168.168.36 20:20:24.931355 arp who-has 72.20.216.61 tell 72.20.216.57 20:20:25.955077 arp who-has 192.168.168.199 tell 192.168.168.36 20:20:31.955179 arp who-has 192.168.168.199 tell 192.168.168.36

Log Traffic Between two Devices

If you can't get a hub in-between two points or a switch that support port mirroring a second NIC in a laptop can be set up as a bridge between two points so that full network trace can be captured. In my T30 fxp0 is a built-in network card, and dc0 is a Xircom combo in my PCCard slot.

ifconfig fxp0 up ifconfig dc0 up ifconfig bridge0 up brconfig bridge0 add fxp0 brconfig bridge0 add dc0

$ doas brconfig bridge0: flags=41<UP,RUNNING> priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp dc0 flags=3<LEARNING,DISCOVER> port 5 ifpriority 0 ifcost 0 fxp0 flags=3<LEARNING,DISCOVER> port 2 ifpriority 0 ifcost 0 Addresses (max cache: 100, timeout: 240):

Now I can log everything with snort

$ doas snort -l ./

or tcpdump

$ doas tcpdump -w file -i ath0 tcpdump: listening on ath0, link-type EN10MB ^C 1557 packets received by filter 0 packets dropped by kernel $ doas tcpdump -r file icmp ...

With a capture on file comparisons are possible between different samples in time and maybe even match up a flow with a specific event that you learn of from others there.

Double-Check Subnet Masks

Even after setting up networks for a while it's not hard to make a mistake in calculating subnets, so an IP calculator is a handy way to check yourself. It can be installed from ports under net/ipcalc

$ ipcalc 72.20.214.14/28 address : 72.20.214.14 netmask : 255.255.255.240 (0xfffffff0) network : 72.20.214.0 /28 broadcast : 72.20.214.15 host min : 72.20.214.1 host max : 72.20.214.14 hosts/net : 14

Check File Integrity

A router can corrupt a data stream. This is rare, but when transferring files I've demonstrated that a Cisco 3640 can corrupt the payload of TCP packets. Armed with md5 you may catch some tricky glitches in hardware or software.

$ md5 test.zip MD5 (test.zip) = 0f155c2bd57bbba564c899da50504ce5

$ ftp http://teisprint.net/test.zip Trying 72.28.48.198... Requesting http://teisprint.net/test.zip (via http://proxy.eradman.com:8123/) 100% |**************************************************| 3090 KB 00:20 Successfully retrieved file. $ md5 test.zip MD5 (test.zip) = 0f155c2bd57bbba564c899da50504ce5

Simply comparing file sizes is not a good method of testing the validity of a trasmission.

Routing Loops

Finding routing loops is not an advanced topic and does not require a specialized set of tools. Thanks to tcpdump you can check for this anywhere by watching the ttl values. Here we have a switching loop (duplicate packets) and a routing loop (TTL moving to 0) on the same LAN.

$ doas tcpdump -i fxp0 port 445 14:02:25.944847 IP (tos 0x0, ttl 8, id 15937, offset 0, flags [DF], = proto: TCP (6), length: 79) 31.6.2.20.2688 > 31.6.1.2.microsoft-ds: P, = cksum 0xd6dd (correct), 0:39(39) ack 1 win 16529 14:02:25.944861 IP (tos 0x0, ttl 7, id 15937, offset 0, flags [DF], = proto: TCP (6), length: 79) 31.6.2.20.2688 > 31.6.1.2.microsoft-ds: P, = cksum 0xd6dd (correct), 0:39(39) ack 1 win 16529 14:02:25.944985 IP (tos 0x0, ttl 8, id 15937, offset 0, flags [DF], = proto: TCP (6), length: 79) 31.6.2.20.2688 > 31.6.1.2.microsoft-ds: P, = cksum 0xd6dd (correct), 0:39(39) ack 1 win 16529

Many times this can be caused by servers with IP forwarding enabled. Test a suspect by trying to route packets through the suspect.

$ doas route delete default $ doas route add default 31.6.1.2 $ ping eradman.com ...

TFTP is Standard

It's good to be in the habit of copying off configuration of rotuers and switches before you modify them, and so that you have a backup.

# /etc/inetd.conf tftp dgram udp wait root /usr/libexec/tftpd tftpd -s /tftpboot tftp dgram udp6 wait root /usr/libexec/tftpd tftpd -s /tftpboot

I link the TFTP folder /tftpboot to my home directory. The important thing is that inetd have write permission to the file you want to copy to.

$ ls -l /tftpboot lrwxr-xr-x 1 root wheel 18 Dec 14 03:19 /tftpboot -> /home/eradman/tftp $ touch ~/tftp/PIX515-GATEWAY $ chmod 666 ~/tftp/PIX515-GATEWAY

Log Everything in tmux(1)

tmux doesn't provide a built-in shortcut for logging the output of a session, but it can be easily toggled by adding shortcuts to .tmux.conf

bind-key H pipe-pane "exec cat >>$HOME/'#W-tmux.log'" \; display-message 'Started logging to $HOME/#W-tmux.log' bind-key h pipe-pane \; display-message 'Ended logging to $HOME/#W-tmux.log'

Domain Internet Groper

host gives you need to know now

$ host eradman.com eradman.com has address 72.20.216.13 eradman.com has IPv6 address 2001:470:1f00:297:a00:20ff:fe9e:b3e1 eradman.com mail is handled by 10 us270-ob0.eradman.com.

And dig provides a flexible interface for searching DNS

$ dig @72.20.216.8 nycbug.org ns +short auth20.ns.nyi.net. auth21.ns.nyi.net.

Use -x to look up reverse lookups.

Find Manufacturer of Device

First get . The first six octets are the manufacturer of a particular NIC, so if you know the address of the offending device you may be able to tell what kind of device it's in.

$ arp -an | sed 's/:/-/g' ? (192.168.1.1) at 00-01-03-e9-c2-b2 on xl2 static $ grep -i 00-01-03 ~/documents/oui.txt 00-01-03 (hex) 3COM CORPORATION

nmap does this automatically.

Searching for Wireless Networks

OpenBSD's ifconfig(8) completely unifies configuration of various network cards, including wireless adaptors. To scan the SSIDs visible to your laptop use the scan parameter

$ doas ifconfig wpi0 scan wpi0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:1b:77:11:10:c5 priority: 4 groups: wlan egress media: IEEE802.11 autoselect (OFDM54 mode 11g) status: active ieee80211: nwid 0024A5B3D55F chan 1 bssid 00:24:a5:b3:d5:5f 63dB ... nwid 0x00 chan 11 bssid 00:1d:a2:84:cd:30 62dB 54M ... nwid guest chan 11 bssid 00:1d:a2:84:cd:31 50dB 54M ... nwid avctrl chan 11 bssid 00:1d:a2:84:cd:32 53dB 54M ... inet 149.77.212.173 netmask 0xfffffff0 broadcast 149.77.212.175

RS-232 aka Serial Devices

Serial access is also built-in:

$ cu -s 19200 -l cuaU0

BREAK is ~. If you have USB-to-serial converter you can access it like so

$ dmesg ... ugen1 at uhub6 port 3 configuration 1 "Research In Motion RIM Composite Device" rev 2.00/2.32 addr 8 uplcom0 at uhub3 port 1 "Prolific Technology Inc. USB-Serial Controller D" rev 1.10/4.00 addr 2 ucom0 at uplcom0

Print Configuration

12-point courier wastes a lot of paper if you need to print some text. Install a2ps from ports and use half as much.

$ a2ps -2 ap.conf -M A5 -o ap.conf.ps

BSD Telnet Works

It may be a well-kept secret that the BSD telnet can do send one character at a time, which is sometimes required to simulate a serial link on some terminals need for password prompts, etc.

$ telnet 22.50.52.90 10001 Trying 12.50.52.92... Connected to 12.50.52.92. Escape character is '^]'. ENTER PASSWORD ^] telnet>; mode character

Better yet, add common connection parameters to .telnetrc

192.168.168.2 # The Simplicity VM mode character # do-nothing to make the above line work: set crmod off

XTerm as an ANSI Terminal with VGA Fonts

$ cd /usr/X11R6/lib/X11/fonts/misc $ doas ftp http://scie.nti.st/dist/sabvga.pcf $ doas ftp http://scie.nti.st/dist/vga.pcf $ doas ftp http://scie.nti.st/dist/vga11x19.pcf $ doas mkfontdir

Thanks to Garry Dolley for posting these fonts and for showing how to do this on OS X as well.

xterm +sb -fn vga -bg darkblue -fg white

This is a view to the text console

Custom Key-Mappings

Proprietary applications often expect goofy character combinations for normal use. The key translations in XTerm are very flexible because you can map a key pair to any string of characters. I used VIM to figure out key by moving the cursor to a character or code, like ^M and typing ga to show the hex code in the status line. This is part of my .Xdefaults

XTerm * VT100 . translations : #override

\ ~Shift <Key>F1 : string(0x1) string(0x40) string(0xd)

\ ~Shift <Key>F2 : string(0x1) string(0x41) string(0xd)

\ ~Shift <Key>F3 : string(0x1) string(0x42) string(0xd)

\ ~Shift <Key>F4 : string(0x1) string(0x43) string(0xd)

\ ~Shift <Key>F5 : string(0x1) string(0x44) string(0xd)

\ ~Shift <Key>F6 : string(0x1) string(0x45) string(0xd)

\ ~Shift <Key>F7 : string(0x1) string(0x46) string(0xd)

\ ~Shift <Key>F8 : string(0x1) string(0x47) string(0xd)

\ ~Shift <Key>F9 : string(0x1) string(0x48) string(0xd)

\ ~Shift <Key>F10 : string(0x1) string(0x49) string(0xd)

\

These keys enabled me to manage an old Tadiran voicemail via a network serial port: