Tuesday, 4 February 2020

WireShark Series: Part 1- Getting Started, Filters, Expressions, Graphs

  • We can get already available captures using Tools -> Sample captures

  • To see the OSI Layers, goto Statistics -> Protocol hierarchy
    • Here, we see the protocols and based on the protocols we can tell the layers
    • If any error is there in any protocol, we can find out
    • Frame (Physical), then Ethernet (Datalink), then Internet Protocol (Network), then TCP (Transport), then SSL (session) and HTTP (application layer)

  • Wireshark Filters
    • Capture -> Filters
    • These will filter only those specific packets

  • BPF Filters
    • Capture -> Capture Options
    • Next to "Capture Filters" , we will have "Compile Selected BPFs"
    • BPFs stand for "Berkeley Packet Filte Syntax"
    • It is the expression that is used for filtering

  • Expressions
    • We need a qualifier and an ID
    • For eg: wlan.address ==b4:52:7e:62:6c:4d . Here, the first part is the qualifier and the second part is the ID
    • Operators can be && or || or just !
      • && means AND
      • || means OR
      • means not equal to
    • Qualifiers can either be:
      •  TYPE which would be like HOSTNET or PORT. These identify what the ID refer to. 
      • DIR which would be direction which tells whether the transfer is going to or from the ID. This can be either the source SRC or destination DST
      • PROTO which is the protocol. This could be either HTTP, TCP, UDP, FTP. This is a particular protocol specifically that the ID is also repeating again
    • A cheat sheet that tells all the different expressions that we can use. They also display operators as well as logic
packetlife.net/media/library/13/Wireshark_Display_Filters.pdf
  • For eg,
ip.src == 10.73.31.59 && tcp.port == 80
  • Here, ip qualifier tells it's type is IP address
  • src tells about the direction and it's Source
  • 10.73.31.59 tells us that it is the ID. So, we know that we are looking for a source that equals this IP address
  • && tells us that we also include the next expression while filtering
  • TCP is the type and the port tells us the port ID 80

  • Expressions Examples
    • ip addresses 
      • ip.src == 96.17.148.161 means we are looking for source Ip address as given
      • ip.src_host == 96.17.148.161 gives the same o/p as above and means we are looking for source hosts that have the IP address given
      • ip.addr == 96.17.148.161 means we are looking for IP address given that not only includes sources but also includes destinations
      • ip.dst == 96.17.148.161 or ip.dst_host == 96.17.148.161 means we are looking for destination ip address as given
      • For IPv6 addresses, we need to use ipv6.addr == ...
      • We can also packet capture using DNS host names, you can type ip.host == nameofthehost.
      •  Now try ip.addr == 192.168.1.0/24 and this will show anything on that network within that range.
      • We can also filter by qualifier protocols using ip or http or udp directly. If we want to search by more than one protocol at a time, we can use &&. For eg, udp && http . Ot we can use udp || http
      • ip.dst != 10.73.31.59 gives ip address not equal to given one
    • We can also use the "expression" box next to the filter box to get the options possible directly and we can choose from that if we dont remember the syntax
    • We can also use the "save" button next to the filter box to make a bookmark of the filter and use it instead of having to type it out again
    • Instad of using the "save" option, we can also save the command as a permanent filter using Edit -> New Filter. Thusm, we can directly type the newfiltername in the filter box whenever we want to use that filter
    • We can also filter by the packet sizes using frame.len <= 128 and we will get packets less than or equal to 128


  • TCP Streams and Objects
    • If we visit many sites and don't know which packet is for what in the list, then right-click on the desired packet and click "Follow TCP Stream"

  • Decode As:
    • If we right click on desired packet and select "Decode As", we can convert it to any desired format.
    • For eg, TCP on the transport layer can be decoded to any user-specified protocol from the options

  • Name Resolutions:
    • Capture -> Options
    • Name Resolutions doesnt always work and needs network to be online and correctly configured
    • Resolve  MAC address means Wireshark will resolve the layer-2 or layer-2 mac address
    • Resolve network address means wireshark will  try to resolve IP address into a understandable DNS name
    • Resolve Transport Layer Name means that wireshark will try to convert a port number into whatever that port stands for. For eg, port 80 means HTTP

  • Graphs
    • Flow Graphs:
      • Statistics -> Flow Graph
      • We can choose whether we want all packets or displayed packets (ie. the packets that are shown after using a filter)
      • Then , we get a graph
      • We will see different time stamps and comments about each and every single packet in the middle under the green area with analysis of source and destination

  • This can help to visualize each and every packet flow during the packet capture. Also, we can find from which and to which ip address a specific packet has benn sent and also see the details using the comment

Saturday, 1 February 2020

Demystifying Content Delivery Networks/ CDNs

The idea of a CDN is to bring media rich content geographically closer to the people viewing the content and in turn, provide an optimal experience for the people consuming that content. A CDN improves download speeds, reduces buffering and improves application performance by shortening the distance between the users and the servers hosting the content. The beauty of a CDN from the content provider’s perspective is the ability to have that content distributed all around the world while only having to upload that data to one “origin server”. Once the content is uploaded to the origin server, the CDN distributes that content across each of the points-of-presence or “POPs” within minutes.


Something called POPs:


A CDN consists of multiple points-of-presence or “POPs” scattered across the globe. Each of these POPs is located at different points on the globe. Each POP location is chosen with the singular goal of creating a network that will provide the best performance to as much of the world as possible. At that point, anyone requesting the content will receive the content from the POP that is closest to their physical location. For example, people in Los Angeles will pull content from the US West POPs and people in London will pull content from the EU POP or other closer ones to their locations. This proximity logic works around the globe ensuring an optimal experience for every end-user.

Why use CDN:

CDNs are a great way to speed up the loading times and reduce latency/ round-time delays by caching your data.

Content Delivery Network also provides security from various attacks like SQL injection and denial of service (DOS) and keeps your website safe.

CDN also automatically does Load Balancing during high traffic times and your website speed is not affected.

POP- What Exactly is in it:

It is a system consisting of a number of servers distributed around the globe. Each Point of Presence then contains multiple caching servers. These servers are what actually do the hard work of caching all of your site’s static files. All these servers contain cached static content of your website. Whenever a user visits your website, the server nearest to the user, (which is based on the geographical location of the user), will provide him your website’s static content. The static content of a website includes – CSS files, JavaScript and Images. The content sometimes need not be static. For example, Netflix will cache its entire content library to speed up the buffering of videos.

BILLING IN CDNs:

So how exactly does a CDN billing work? As you know, with a dedicated server you are typically provided with a lump sum of monthly bandwidth (ex. 10TB or 100TB) on a certain sized port (ex. 100Mbps or 1Gbps). So long as you do not exceed the amount of bandwidth included each month, you just pay the base rate for your server. A CDN works differently. With a CDN you pay per GB of outbound data transfer right out of the gate and there is no port size limitation. In most CDNs, as the amount of data you transfer each month grows, your price per GB goes down. So, it makes sense for bigger companies to go for CDNs- either build it themselves if you are Netflix or so for providers like Akamai or Cloudflare if you are reasonably big and want better performance.


Thursday, 31 October 2019

Configuring ZTP on Arista EOS

ZTP
  • CLIs:
    • zerotouch cancel - cancel this time
    • zerotouch disable - distable ztp permanently
    • bash vi /mnt/flash/zerotouch-config
  • DHCPd config:
    • see below
  • Supported version:
    • Fixed - v3.7
    • Chassis - v4.10
  • If no startup-config the switch will default to ZTP, if not disable ZTP, the switch will not function properly.  
  • automatic configuration based on DHCP
    • configure all eth and management ports with "no switchport" to allow DHCP
    • can use dhcpd on the Linux
    • below bootfile can be either config or script
DHCPd config:
option subnet-mask 255.255.255.0
option broadcast-address 192.168.1.255

option routers 192.168.1.1
option domain-name-server 192.168.1.200, 192.168.1.205
option domain-name "gad.net"

subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.160 192.168.1.167;
}

host Arista1 {
 option dhcp-client-identifier 00:1c:73:08:91:33;
 fixed-address 192.168.1.170
 option bootfile-name "http://www2.gad.net/config/Arista1-ZTP"
}

ZTP Script:
#!/usr/bin/Cli -p2
enable
copy http://<url>/arista1-startup flash:startup-config
copy http://<url>/EOS-4.9.3.swi flash:
config
boot system flash:EOS-4.9.3.swi

Thursday, 24 October 2019

Awesome Tcpdump Hack for Arista EOS to send to Wireshark

These below commands allow anyone to live stream the packet info to wireshark application on their Mac without having to capture on their device and then copy to mac...


To send tcpdump directly to wireshark:
ssh root@mt701 "tcpdump -s 0 -Un -w - -i vlan100" | wireshark -k -i -

The above command will:
- Tcpdump on the Arista EOS device mt701
- Capture packets of vlan100 (change to your desired interface)
- Pipe the output to Wireshark application on your Mac/Desktop


Tcpdump on a different VRF-"dhcpvrf"
ssh root@mc327 "ip netns exec ns-dhcpvrf tcpdump -i vlan10 port 67 or port 68 " | wireshark -k -i -

The main command telling the VRF info is: "ip netns exec ns-dhcpvrf tcpdump -i vlan2 port 67 or port 68"

The above command will:
- Tcpdump on the Arista EOS device mc327
- Capture packets on VRF "dhcpvrf" (change name to your desired vrf name)
- Capture packets of vlan2 (change to your desired interface)
- Capture packets on Port 67 or Port 68 only
- Pipe the output to Wireshark application on your Mac/Desktop

Thursday, 17 October 2019

VLAN Translation

VLAN Translation is used to encapsulate one vlan (doq1q) in another vlan (dot1q)

So, it is also called q-in-q encapsulation

The original vlan is called C-VLAN (customer) and the translated vlan is called S-VLAN (standard-vlan)

To use vlan translation, 2 ways are there:
  1. Use vlan mapping both ways .ie.any traffic coming with vlan X will be converted to vlan Y and those with vlan Y will be converted to Vlan X

interface Ethernet14
   switchport mode trunk
   switchport vlan mapping 80 280
   switchport port-security maximum 4
   switchport port-security violation protect log
interface Ethernet16
   switchport trunk native vlan 80
   switchport mode trunk
   switchport vlan mapping 280 80

In above case, any traffic coming with vlan 80 on et14 will be converted to vlan 280. On et16, any traffic coming with vlan 280 will be converted to vlan 80 (both ingressing and egressing)

NOTE: In et14, compulsorily vlan280 must be allowed and on et16, compulsorily vlan 80 must be allowed since vlan translation ahppens very initially in pipeline. So, any traffic with original vlan will be converted to new vlan before any sort of processing happens.


  1. Another way is to use only 'in' and 'out' words in the mapping configuration, so that, only incoming or outgoing packets will be translated. Not other way around.

interface Ethernet14
   switchport mode trunk
y
   switchport port-security maximum 4
   switchport port-security violation protect log
interface Ethernet16
   switchport mode trunk
   switchport vlan mapping 280 80
   switchport vlan mapping out 280 80

In this case, on et 14, only incoming packets with vlan 80 will be translated to vlan 280. But, if a vlan 80 packet has to go out from et14,  it will be sent as vlan 80 only. Similarly, on et16, only egressing packets will be translated. So, if vlan 280 packet has to go out from et16, it will be translated to vlan80. But, if a incoming packet with vlan 280 hits et16, it will not be translated.