networking

You are currently browsing articles tagged networking.

I am about to leave on a business trip, which means I once again have to deal with hotel WiFi. I don’t like WiFi in hotels for two reasons – they almost never provision enough network capacity, and they usually have some kind of irritating captive portal system.

Captive portals often have frustrating limitations, like only allowing a small number of devices on the same login, or regularly requiring those devices to login again to the portal. On top of that, hotel WiFi often uses AP isolation (preventing clients from talking to each other directly) or other issues that make Google Chromecast not work. And finally, configuring all my devices to use the different WiFi settings in each location is tedious.

Read the rest of this entry »

Tags: , ,

In another post, I talked about running Wireshark and other sniffing programs as an unprivileged user. You can do the same with Nmap, but it’s a little more tricky.

WARNING: This is dangerous. The Nmap Scripting Engine (NSE) allows scripts to sniff the network, change firewall roules and interface configuration, or exploit vulnerabilities including on localhost. It’s possible, especially with elevated capabilities, for a clever person to use Nmap and NSE to escalate to full root privileges. If you do not understand these risks, do not do this.

Read the rest of this entry »

Tags: , ,

The Wireshark team has long warned us not to run Wireshark as root. However, since Wireshark 1.4 (between Ubuntu 10.04 and 12.04), they’ve raised the stakes. Wireshark no longer loads all its plugins and protocol dissectors when run by root, and it displays warning messages on the CLI and the GUI:

root@laptop:~# tshark 
tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled
Running as user "root" and group "root". This could be dangerous.

Read the rest of this entry »

Tags: , ,

A DNS amplification attack

Late last night, someone began using my home Internet connection in DNS amplification attacks. My Virgin Media cable link was hit with several megabit of “ANY record” DNS queries for ripe.net.

Read the rest of this entry »

Tags: , ,

Time marches on, and so do all those little changes in Linux distribution releases. Most of my really popular blog posts are how-to guides on complicated-but-useful procedures for the technical Linux user. Those users are the same ones who may read the date in the URL and say “Ewww, this was written three years ago, it must be totally outdated now!” I’ve decided to update the most popular posts to bring them up to date. This post is “Using host networking and NAT with VirtualBox“, version 2.0.

Read the rest of this entry »

Tags: , , ,

I am often asked to measure the bandwidth of a network path. Many users test this using a simple HTTP download or with speedtest.net. Unfortunately, any test using TCP will produce inaccurate results, due to the limitations of a session-oriented protocol. TCP window size, latency, and the bandwidth of the return channel (for ACK messages) all affect the results. The most reliable way to measure true bandwidth is with UDP. That’s where my friends iperf and bwm-ng come in handy.

Read the rest of this entry »

Tags:

Sniffing on a switch

I’m an IP network engineer. When something goes wrong, the first thing I do is sniff packets. Got a SIP phone that won’t register? Forget reading logs; sniff 5060/udp and read the SIP chatter directly. A customer complains that “Yahoo chat doesn’t work”? Sniff 5050/tcp and look for TCP hangups, login failures, or ICMP “port unreachable” messages.

Sniffing is easy when you have access to the intermediate router, but that isn’t always the case. What if you’re just another PC on the same switch? That’s impossible, right?

Read the rest of this entry »

Tags: , ,

Not long ago we started having very unusual issues our email servers. Mail would be inexplicably held for delivery, bounce back, or fail to send for hours and then send without issue later. Some users couldn’t fetch email by POP until they restarted their mail client. We investigated the mail software, but weeks of investigation turned up nothing.

Around the same time, we also experienced intermittent problems logging in to MSN Messenger, and some users complained of issues accessing certain web pages, including a lot of HTTPS links. I began to suspect these were related.

Read the rest of this entry »

Tags: ,

iptables firewall templates

I use iptables firewalls on every server I administer, including all of our core routers (which run Linux too). There are lots of tools to easily configure a firewall. For simple tasks, Ubuntu now installs ufw by default, which has both command-line and GUI tools. For servers, consider Webmin.

If you want to do something more complicated, or prefer editing iptables rules yourself, you’ll have to do it by hand. When I first started doing this I found a template online and edited it to suit my need. Over time I’ve learned a lot more about iptables, and my templates have evolved.

Read the rest of this entry »

Tags: , , ,

I try to post a few times each month, but somehow January (and most of February) fell through the cracks. Lately I’ve been busy with operational tasks, which hasn’t left me much room for engineering. I haven’t solved any particularly hard or unusual problems, which is usually what I write about. Instead, I’ll write about a routine problem that is nonetheless tricky enough to warrant discussion.

Most of the time I’m not in the same country as the servers I administer. Which means I can’t just drive down and fix something when it goes wrong. It also means that making changes to the network is particularly dangerous. So is updating the kernel, initrd, or GRUB configuration. It is possible to leave a server in a state that requires you to be physically present to fix it. I call this kind of work “flying without a net”. Here are my techniques for safely working without console access.

Read the rest of this entry »

Tags: , ,

« Older entries