Déc 292018
 

Following previous article, I did some more googling around windows raw sockets feature and found this interesting article.

And in particular this part when weighting the pros and cons of using windows raw sockets :

Since raw sockets are built into the kernel TCP/IP implementation, there is no need for additional kernel-mode code (such as NDIS filter drivers or WFP callout drivers). There are however a number of drawbacks compared to the first two techniques:

· No filtering in kernel-mode is possible – all packets are delivered to the user-mode application (which has performance implications).

· There is no visibility of how many packets are lost/dropped as a result of insufficient buffering.

· The packets are first time-stamped when processed by a user-mode application, which might be some time after they “could have been” time-stamped by filter/callout driver kernel-mode code running in a DPC (Deferred Procedure Call).

· There is no guarantee of the order in which the kernel adds packets to the raw socket. Monitoring the kernel activity with the “Microsoft-Windows-TCPIP” and “Microsoft-Windows-Winsock-AFD” providers indicates that the outbound response to an inbound packet is often copied to the raw socket before the inbound packet.

Déc 272018
 

Working in IT, I use Wireshark almost every day.
This software is just great : free, opensource and will probably take me a lifetime to master it all as there are so many things you can do with it.

However, there are times where you need a driverless and standalone software i.e a software which does not require any installation on your production server.
Indeed, I have seen cases where network may be interrupted for a short while or even worse, cases where the server would BSOD (on old winpcap versions thus).
Furthermore, in some situation you may wish to capture traffic over a VPN interface or over localhost : both actions which wireshark (or rather winpcap) can not perform.

That’s where the windows raw socket feature comes in handy : built in windows feature and can snif over VPN or localhost.
Read more about windows raw sockets here.

Raw sniffer is a command line tool meant to capture IP traffic built around windows raw sockets..
You can pipe out to a text file (and later parse it in excel) or generate a cap file which you can later open with wireshark.
Source code is on github.

It takes simple command line parameters : snif [localip] [proto] [port] [0:1]

Some possible usage :
-snif 127.0.0.1 * * 1 : will capture all traffic on localhost to the console AND dump all traffic to a cap file
-snif 127.0.0.1 tcp 80 1 : will filter on http traffic on localhost to the console AND dump all traffic to to a cap file
-snif * udp * 0 : will filter on udp traffic on selected interface to the console

note : if you dont see your incoming traffic, allow snif.exe on your windows firewall – this could do the trick.

Download here

Déc 152018
 

In a previous article, I released a GUI for libnfs library.

This time, I’ll release a command line tool allowing one to perform simple tasks against NFS exports.


nfsclient 0.1 by erwan2212@gmail.com
nfsclient 0.1 discover
nfsclient 0.1 read nfs://server/export/filename
nfsclient 0.1 write nfs://server/export/ local_filename
nfsclient 0.1 dir nfs://server/export/

Download here.
Discuss here.

Nov 022018
 

See previous article to understand why and what.

Previously we have created our master / parent disk.

Lets now create our differencing / child disks using our host (windows 8.1) virtual disk capabilities.

Lets do it in one batch.


rem list disks before
vmount disks
rem create child1 against parent iscsi.vhd
vmount createchild e:\_images\child1.vhd e:\_images\iscsi.vhd
rem create child2 against parent iscsi.vhd
vmount createchild e:\_images\child2.vhd e:\_images\iscsi.vhd
rem attach child1 without assigning any letter to it
vmount attach e:\_images\child1.vhd noletter
rem attach child2 without assigning any letter to it
vmount attach e:\_images\child2.vhd noletter
rem list disks
vmount disks
rem check attributes of disk2
vmount attributes 2
rem check attributes of disk3
vmount attributes 3
rem disk3 is most probably offline because of disk signature collision between disk2 and disk3
rem lets force it online : windows will generate a new signature
rem make sure to use a BCD using LOCATE and not using disk signature or else bootmgr will error
rem more about locate here http://www.mistyprojects.co.uk/documents/BCDEdit/files/device_locate.htm
vmount online 3

Notice how the second virtual disk now has a different signature (since we forced it online…).

 Posted by at 15 h 19 min
Déc 262017
 

Lately I decided to flash my Linksys wrt1200ac with dd-wrt as Linksys obviously dropped support for this nice hardware (no more firmware updates for a long time).
Not to mention that the vendor firmware is extremely basic (not to say limited…).

Once I had flashed the device with the proper firmware, next step for me was to monitor bandwidth from my domotic/monitoring box (jeedom).

The most obvious track was snmp (dd-wrt feature) – Helas, the snmp daemon does not implement counter64 snmp values so this is useless.
Next step was to use some curl/awk/grep script like curl -u root:password http://192.168.1.250/Status_Internet.asp, etc but the web pages heavily rely on javascript so here again, curl was a dead end.

I finally resorted to remotely read values from the device nvram using a script around ssh : not the most elegant way, but the only one I could work out.

The below will retrieve the day/month/year value from my Linksys wrt1200ac based on dd-wrt.
Note, I had to use ssh-keygen & ssh-copy-id to be able to ssh without having to provide a password.
Or alternatively, copy the root id_rsa.pub public key to the wrt authorized keys.

#!/bin/bash
read YYYY MM DD <<<$(date +'%Y %m %d')
#echo 'nvram get traff-'$MM'-'$YYYY
sudo ssh root@192.168.1.250 -q 'nvram get traff-'$MM'-'$YYYY | awk '{print $'$DD'}' | awk -F ":" '{print $1}'
Oct 312017
 

1.0.0.21
modified : dns proxy will read entries from config.ini (section=hostname,ident=ip), no more from hosts file
added : right click open config.ini
added : right click open root_path
fixed : share folder will now add everyone read-only on share permissions
added : share is created with STYPE_TEMPORARY flag, i.e will not survive a reboot
added : TPS will answer to specific ‘discovery’ messages (see discover.zip)
fixed : wsMinimized=1 was preventing form_show and load_config
added : each daemon will report on which ip it is listening (useful to troubleshoot)
added : syslogd will read ip under [syslog] in config.ini if one wants to bind to a specific interface (instead of 0.0.0.0 by default)
fixed : error handling in log_memo to avoid a possible date bug
fixed : httpd could not list files/folder in a non indexed folder
modified : ucimp.pas uses winsock, not wsck
modified : iphlpapi_helper.pas uses winsock, not wsck
modified : usnoop uses winsock, not wsck
modified : iptypes uses winsock, not wsck
modified : removed ipheader unit in main form
modified : TPS does not use wsck unit anymore

Discuss it here.
Download here.

 Posted by at 20 h 12 min
Oct 312017
 


1.0.0.20
added : new option wsMinimized in config.ini to start the app minimized
fixed : @mac,@ip,@arch added to dhcp_offer (was only dhcp_ack before)
fixed : pool start correct when opt54 set in ini file
todo : send arch in dhcp offer
added : @opt54 variable next to @mac,@ip,@arch -> similar to ${next-server} in ipxe
fixed : next server passed to send_dhcpoffer and send_dhcpack
added : will add a scrollbar when active monitor height <=600
added : vscroll=1 in config.ini will force a vertical scrollbar
fixed : option 6 dns server was wrong when choosing a different NIC
added : arch will be taken into account in the dhcp offer as well
fixed : tftpd can be disabled again in config.ini
added : will select the active nic in the opt54 combo box
modified : 2 more fields hidden and moved to the advanced part of the form
fixed : log to file is disabled
added : a syslog server is included in the zip file (syslog=127.0.0.1 in the config.ini)

Discuss it here.
Download here.

 Posted by at 20 h 10 min
Oct 312017
 

1.0.0.19
added : root can be an http url (netboot for debian, ubuntu, …)
fixed : stream.free on udp transfer complete
added : can log to a syslog server (add syslog=host in config.ini)
fixed : non critical udp socket errors would stop the dhcp daemon
added : in analysedata, will exit loop as soon as a dhcp message is found
added : in analysedata, will prevent (byte)offset>255
added : offline button will terminatethread if still active (53,67,4011)
fixed : no more high cpu usage on random occasions
added : new options skip_dhcp_inform & skip_dhcp_discarded
added : forcerenew dhcp messages logged

Discuss it here.
Download here.

 Posted by at 20 h 09 min