While running tcpdump without providing any interface
tcpdump -nS,
I'm getting tcpdump: cannot use data link type PKTAP error so I tried providing the Interface option in the command
tcpdump -i eth0 or even eth1
then I get the following error
tcpdump: eth1: No such device exists
(BIOCSETIF failed: Device not configured)
I even tried looking up on the Internet but i'm not getting any solution ...
Any help ??
I can't speak to your problem with PKTAP, but I can speak to the "No such device exists" - eth0 is a Linux-ism, and MacOS isn't Linux. You almost certainly want en0, en1, etc. "ifconfig -a" is your friend or, if you have it installed, "tshark -D".
Any reason on why PKTAP issue is occurring
It's probably occurring because you installed your own version of libpcap, which does not know about the DLT_PKTAP link-layer header type, and Apple's tcpdump is somehow using your version rather than their own version (Apple's version does know about it) and, therefore, failing because, when its version of tcpdump is run without a -i argument, it uses an OS mechanism to capture on all devices, and that mechanism supplies packets with DLT_PKTAP headers and the DLT_PKTAP link-layer header type.
Related
Trying to set up a network printer with CUPS.
Followed online documentation that stated:
To discover or share printers using DNS-SD/mDNS, setup .local hostname
resolution with Avahi and restart cups.service.
Followed directions for setting up Avahi to the point where avahi-browse --all --ignore-local --resolve --terminate and avahi-resolve-host-name my-domain.local are both working.
But getent hosts my-domain.local fails to resolve. This results in CUPS failing to print because it can't find my-printer.local.
I read the mdns Github page and saw a note that made me think I didn't need a /etc/mdns.allow file.
nss-mdns has a simple configuration file /etc/mdns.allow for enabling
name lookups via mDNS in other domains than .local.
Note: The "minimal" version of nss-mdns does not read /etc/mdns.allow under any circumstances. It behaves as if the file
does not exist.
In the recommended configuration, no /etc/mdns.allow file is present.
But then I saw the last note in that section:
If, during a request, the system-configured unicast DNS (specified in
/etc/resolv.conf) reports an SOA record for the top-level local name,
the request is rejected. Example: host -t SOA local returns something
other than Host local not found: 3(NXDOMAIN). This is the unicast SOA
heuristic.
I tested that out on my machine and sure enough, I was getting something OTHER than Host local not found....
Adding a /etc/mdns.allow file with a line for .local. and for .local and now I can ping my-printer.local.
I can see tshark/wireshark has a flag to display only packets with checksum errors (tcp.checksum.status == "Unverified"). I tried checking if there is any similar flag in tcpdump, I couldn't find it. Is there a flag/option available with tcpdump? If so any one knows what it is? Thanks.
As you say, tcpdump only offers the filters specified here. This does not include an option to filter checksum.
However, you can easily filter checksum incorrect packets using grep:
sudo tcpdump -i eth0 -vvv tcp | grep incorrect
Otherwise your best option is to use tshark.
I have two laptops that I use when I travel. I need them to have access
to my LDAP server. I tried configuring this in my IPFW firewall rules,
but they fail:
#!/bin/sh
cmd="ipfw -q add"
pif="em0"
## Lots of rules - truncated
$cmd allow log tcp from any MAC "0C:54:A5:04:BA:DD" to me 389 in via $pif setup keep-state
$cmd allow log tcp from any MAC "00:1A:A0:89:CA:EA" to me 389 in via $pif setup keep-state
This is the error message repeated twice:
ipfw: missing ``to''
If I substitute an IP address and remove the "any MAC "address" it works
fine. I got this example from a web search. Can anyone tell me what I
am doing wrong?
Looking at the manual page, the MAC dst-mac src-mac is a rule option which means it should appear after the proto from src to dst part of the rule.
So your rule option is both incomplete and in the wrong place.
Are you attempting to check the MAC address while your laptops are travelling? Because I would have thought that the MAC screening will only be meaningful when the laptops are on the same LAN as the firewall.
i am working on a project where we need to collect the bitorrent infohash id running in our small ISP network. using port mirroring we can pass the all wan traffic to a server and run tcpdump tools or any other tool to find the infohash id download by bitorrent client. for example
tcpflow -p -c -i eth1 tcp | grep -oE '(GET) .* HTTP/1.[01].*'
this code is showing result like this
GET /announce?info_hash=N%a1%94%17%2c%11%aa%90%9c%0a%1a0%9d%b2%cfy%08A%03%16&peer_id=-BT7950-%f1%a2%d8%8fO%d7%f9%bc%f1%28%15%26&port=19211&uploaded=55918592&downloaded=0&left=0&corrupt=0&key=21594C0B&numwant=200&compact=1&no_peer_id=1 HTTP/1.1
now we need to capture only infohash and store it to a log or mysql database
can you please tell me which tool can do thing like this
Depending on how rigorous you want to be you'll have to decode the following protocol layers:
TCP, assemble packets of a flow. you're already doing that with tcpflow. tshark - wireshark's CLI - could do that too.
HTTP, extract the value of the GET header. A simple regex would do the job here.
URI, extracting the query string
application/x-www-form-urlencoded, info_hash key value pair extraction and handling of percent-encoding
For the last two steps I would look for tools or libraries in your programming language of choice to handle them.
I installed Postfix, Courier and a bunch of other e-mail related services on my Ubuntu server. The data is fetched from a MySQL database. But when I try to connect through Thunderbird, I get this error:
ssl_error_rx_record_too_long
Why :(? How can this be fixed??
How many bits in your SSL key? IIRC, you'll get this error if you use larger than a 2048 bit key.
This error also happens in Thunderbird, however against a Courier imapd ssl installed on Gentoo.
Turns out there were a bunch of broken SSL certificate symlinks in /etc/ssl/certs. Removing them fixed the problem.
find . -type l | (while read FN ; do test -e "$FN" || ls -ld "$FN"; done)