Category: Networking

  • Installing Plixer’s “Scrutinizer” NPMD

    Plixer makes a good “Network Performance Monitoring and Diagnostics” (NPMD) application called “Scrutinizer“. NPMD, as Gartner calls it, mostly omeans, collecting, aggregating, and reporting on Netflow data.

    Plixer provides a VMware OVF for installation of a virtual appliance. I, however, ran into a few issues with the installation:

    • I couldn’t get the install to work OVF through vCenter successfully, or at least vCenter 6.5. It would install, but when I booted it would come up to a PXE boot, rather than CentOS which the appliance runs on. The answer was to install it through the Windows vSphere ESXi client or through the web vSphere ESXi client.
    • Setting up SSL (HTTPS) during the initial install prompts wouldn’t work. Everything seemed fine, but on final boot of the Scrutinizer appliance, the HTTP/HTTPS wouldn’t come up at all. It turned out it hadn’t actually generated the certificates and files were missing. The answer is to select “no” to SSL in the initial dialog, then when fully up, log in using the “plixer” login and use the “set ssl on” option after the fact. SSL then works correctly afterwards.
    • By default it will bind to IPv6 ports and not to IPv4 ports (!) to listen for Netflow data. The solution is to log into the Scrutinizer server/guest as root and disable IPv6 per this document. Specifically, I recommend the “/etc/sysctl.conf” change as it is relatively simple to execute.
    • When logged in as “root”, doing a “yum update” is useful, though I would do the following bullet after.
    • When logged in as “plixer”, it’s useful to run the “set tuning” as well as “update packages”, though oddly it seems to run back one of the kernel updates from the last bullet.

    Now I just need to figure why I’m still not seeing the packets from the ASA…

  • Fix Apple Bonjour with Cisco autonomous APs

    I purchased some used Cisco C1140 autonomous access points for my home network (autonomous meaning not lightweight or requiring a WLC). While everything seemed to be fine at first, later we noticed that printouts to our Canon laser printer were no longer working from our Macs. After some research I realized that the Macs were failing to locate the printer due to Apple Bonjour protocol issues. Google searches led to partial solutions, but most required a downgrade of the AP IOS – a no, no as a security professional.

    I kept looking and it turns out my savior was actually a Chromecast user with the same issue. Two configuration changes on the APs to disable IGMP snooping had to be executed, not one:

    All the prior advice was just to disable the former, which didn’t work (at least without an AP downgrade!). Adding the second line did the full trick.

    You may need to disconnect and reconnect to the wireless for full effect. Since multicast IGMP has other uses, I can’t guarantee the impact in a larger environment.


    Well, this may or may not work. In the end it seemed not to for me, but it’s still worth a try in your network.

  • How to probe ethernet capabilities…

    Mostly for my own edification – use “ethtool”, eg:

    You’ll note two important details about this output:

    1. This NIC is gig capable but is only running at 100mbs.
    2. I claim to be running this as root, but any good sysad should be using “sudo” instead!

    Anyway, simple command, but sometimes you forget them.

  • Why is WLAN “signal quality” in negative decibels?

    If you use “iwconfig” on Linux to get statistics on your wireless LAN you’ll note that the “Signal Level” is expressed in negative decibels. On the surface that would appear confusing – how can decibels be negative?!

    Fortunately an anonymous poster explains at Toms Hardware:

    Absolute power of a signal is measured in wattage. The bel or decibel system can only describe relative power- a gain of 3 dB means your signal is 2 times as strong as it was before, but the dB scale doesn’t define where you’re starting from or what your ‘zero’ is. So, we specify dBm, indicating that our scale is relative to 1 milliWatt of power. 0 dBm = 1 mW.

    The reason you see negative values is that you’re representing small but positive numbers, on a logarithmic scale. In logarithms, the value indicated represents an exponent… for example, under a log 10 scale, a value of -2 represents 10 to the -2 power, which equals 0.01. Likewise, a negative dBm means that you’re applying a negative exponent in your power calculations; 0 dBm equals 1 mW of power, so -10 dBm equates to 0.1 mW, -20 dBm equates to 0.01 mW, and so forth. It’s a lot easier, and more useful in some calculations, to describe a weak signal as -100 dBm as opposed to 0.0000000001 mW.

    Pretty simple when it’s explained that way!

  • Larry Ellison on “Cloud Computing”

    Via SwissInfo:

    “The computer industry is the only industry that is more fashion-driven than women’s fashion,” Oracle founder Larry Ellison commented on cloud computing recently. “Maybe I’m an idiot, but I have no idea what anyone is talking about. What is it? It’s complete gibberish. It’s insane.”

    I think there’s more to it than just gibberish – stuff like Google Apps is a great and usable example, however it’s true everyone is jumping on this and my mailbox is absolutely blown out with “cloud computing this” and “cloud computing that”. Half of it is in fact pure gibberish.

    Not surprising, Stallman hates it:

    He makes some good points about why you should be wary. I think what you should take away from his comments is that if you are thinking of using cloud computing, go in with your eyes open (as opposed to it’s just plain “stupid”).

  • Defaulting a Cisco interface…

    One pain with Cisco IOS is trying to get a configured interface back to defaults. Half the time you don’t even remember what those were.

    If it’s a sub-interface you can “no” it, but you will still have configuration left behind:

    cisco(config)#no interface ATM1/0.1
    Not all config may be removed and may reappear after reactivating the sub-interface

    with physical top level interfaces you can’t “no” them at all anyway.

    The answer is to use the “default” command:

    cisco(config)#default interface ATM1/0.1
    Building configuration…

    Interface ATM1/0.1 set to default configuration

    Curiously this doesn’t seem to clear PVC definitions!

    NOTE: If you do this on the primary physical interface, all sub-interfaces will be defaulted and deleted (which may or may not be what you want). So use carefully!

    UPDATE: Well the docs say the sub-interfaces will be deleted, but they’re not in my experience. Also it’s not even clear if this works on sub-interfaces. The combination of a “no” on the sub-interface first and then a “default” after the fact seemed to maybe work, but no promises.

  • How to remove a VLAN from a port in CatOS…

    I can never seem to remember how to “remove” a VLAN on a switch (eg: Cisco 6500) running the older CatOS. The new IOS based switches are much easier.

    Anyway, it’s actually quite simple, just force the port to VLAN 1 (assuming that is your default/native VLAN). For example if port 6/5 was set to a VLAN and you wanted to remove it, just type:

    set vlan 1 6/5

    and bingo it’s removed from the current VLAN.

    Often this is necessary when reusing a port that had a VLAN assignment but you want to use as a trunk.

  • Where to find the Windows XP “hosts” file

    Just like Unix you can add a static host to the Windows system. On Windows XP the file is usually found in the “intuitive” location here (may change depending on where you loaded Windows):


    This is also where the “lmhosts” file is found.

    The format is in standard ARPANET format. For more information see this Wiki page.

    Be warned though, putting entries in here essentially makes them static and thus if the target IP is changed in the real owner’s DNS, your local host entry may be pointing to the wrong place. That is why this is best avoided unless really necessary.

  • WPA versus WPA2?

    So what’s the difference?

    Not much or a lot depending on your opinion. WPA uses TKIP for key management, whereas WPA2 uses AES-CCMP. Usually depending on how the AP has been set up, you can use either (TKIP or AES-CCMP) interchangeably, thus using WPA or WPA2 as needed. Many older devices like those running Windows Mobile 5, only support WPA with TKIP, while WPA2 is now required for Wi-Fi Alliance‘s “WiFi CERTIFIED” moniker.

    This is a pretty rough overview, however in the end the general consensus is WPA2 is more secure due in part to it’s use of the government/industry preferred AES protocol for key protection. However WPA is probably sufficient for the vast majority of uses and is infinitely better than using WEP protocol. WEP really is only useful for keeping your average neighbor off your network – any mildly serious attacker will be able to compromise a WEP based wireless network.

    As long as I’m on the subject, hiding your SSID is also basically a useless joke as there are so many tools to sniff them even when not set to “broadcast”. Either use WPA(2) or further encapsulate your traffic over a VPN connection. Still, in general as an extra layer of protection, you ought to disable “broadcast SSID“, though because of the way the protocol works the benefit is honestly nearly nil. Still, “layered security” is the way to go.

  • WPA resources

    When researching using WPA on Ciscos I ran into a lot of useful URLs as resources. If you’re in the same bind, you may find them helpful too:

    Not a pretty list, but still good to put somewhere!

  • What is 802.1x?

    If you’re investigating things like enterprise WPA and/or NAC based network control you’ll probably run into the fact that it uses 802.1x protocol. So what is 802.1x?

    Basically the long and short of it is IEEE 802.1x is just a protocol to pass EAP over wired/wireless LANs. EAP on the other hand is just a protocol to take the AP/RAS/switch/router out of the stream of authentication. It is a way of tunneling the authentication request to a Radius server and let the two figure out the authentication without the AP/RAS/switch/router having to handle it.

    A good primer on the subject is here:

    Incidentally the user unfriendly term “supplicant” will often come up. Much as it sounds like something fancy, it isn’t. In most regards it just means the client you’re trying to connect to the network, however more officially it’s the process(es) on the client taking care of the 802.1x authentication. The client runs the supplicant to authenticate, to quote:

    The wireless node that requests authentication is often called Supplicant, although it is more correct to say that the wireless node contains a Supplicant. The Supplicant is responsible for responding to Authenticator data that will establish its credentials. The same goes for the access point; the Authenticator is not the access point. Rather, the access point contains an Authenticator. The Authenticator does not even need to be in the access point; it can be an external component.

    So ultimately the “supplicant” is really a program running on the client. Also see:

    which also is a useful document.

    As a final note, often the EAP passed in the 802.1x conversation is encapsulated in what’s called “PEAP” (yes, all of the acronyms are a pain!). Essentially PEAP is a public key based method of encrypting the EAP payload via SSL/TLS, thus protecting the authentication from prying eyes.

  • If using WPA-PSK, use a long key!

    If you must use WPA-PSK (meaning WPA with a pre-shared key, rather than WPA using 802.1x authentication via Radius), make sure your key is sufficiently long. Ideally 20 characters or more.

    To quote:

    Robert Moskowitz’s article, “Weakness in Passphrase Choice in WPA Interface,” describes a theoretical attack on WPA passwords. The tools WPA-psk-bf, CoWPAtty and WEP Crack are implementations of this attack and have demonstrated the ability to break WPA-PSK keys that are 20 characters or fewer. The Aircrack tool suite operates in an active or passive mode to gather the data required to launch these attacks. In passive mode, the Aircrack tools capture the four-packet authentication handshake between an AP and client. The handshake is then processed through a WPA breaking tool for an offline brute-force attack. If the attacker has not captured the handshake, the Aircrack tools active mode will force a disassociation and reassociation.

    For more see this article:

    which gives a fairly comprehensive overview of the challenges here.