Rotating files with tcpdump
tcpdump -s 0 port 80 -C 10 -w /tmp/capture.pcap
The above command captures complete packets (-s 0) and writes them to /tmp/capture.pcap. The -C 10 tells tcpdump to rotate the .pcap files out when they reach 10MB in size. So capture.pcap would be the original, followed by capture.pcap1, capture.pcap2, etc.
One important note: tcpdump drops permissions when you use the -C, so make sure you write to a directory that is world-writable.
Basic DNS troubleshooting with dig
I don't usually end up troubleshooting DNS issues, but one thing led to another recently and I ended up elbows deep in DNS troubles. I spent a good portion of my day on telcons with one party who actually administers the DNS servers for this client, and Akamai. I did walk away with a better understanding of how Akamai works and basic DNS querying using the dig command in Linux.
The following shows the DNS equivalent of a traceroute. Notice that is starts "tracing" the name from right to left, starting with the DNS root servers, then the .com, and so on.
[dacaprice@linux ~]$ dig dacaprice.com +trace ; <<>> DiG 9.7.4b1-RedHat-9.7.4-0.3.b1.fc14 <<>> dacaprice.com +trace ;; global options: +cmd . 518400 IN NS a.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS m.root-servers.net. ;; Received 228 bytes from 208.67.220.220#53(208.67.220.220) in 273 ms com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. ;; Received 491 bytes from 192.112.36.4#53(192.112.36.4) in 386 ms dacaprice.com. 172800 IN NS ns1.comphouse.com. dacaprice.com. 172800 IN NS ns2.comphouse.com. ;; Received 109 bytes from 192.41.162.30#53(192.41.162.30) in 70 ms dacaprice.com. 14400 IN A 72.32.185.230 dacaprice.com. 86400 IN NS ns2.comphouse.com. dacaprice.com. 86400 IN NS ns1.comphouse.com. ;; Received 125 bytes from 72.32.185.230#53(72.32.185.230) in 50 ms
The next section illustrates how to query a specific DNS server. In this case I queried ns2.comphouse.com (an authority for dacaprice.com). The output shows the authoritative nameservers for dacaprice.com, the A record, mapping the name, dacaprice.com, to the IP address of the webserver and various other query-related statistics.
[dacaprice@linux ~]$ dig @ns2.comphouse.com dacaprice.com ; <<>> DiG 9.7.4b1-RedHat-9.7.4-0.3.b1.fc14 <<>> @ns2.comphouse.com dacaprice.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42212 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;dacaprice.com. IN A ;; ANSWER SECTION: dacaprice.com. 14400 IN A 72.32.185.230 ;; AUTHORITY SECTION: dacaprice.com. 86400 IN NS ns2.comphouse.com. dacaprice.com. 86400 IN NS ns1.comphouse.com. ;; ADDITIONAL SECTION: ns1.comphouse.com. 14400 IN A 72.32.185.230 ns2.comphouse.com. 14400 IN A 67.192.225.138 ;; Query time: 52 msec ;; SERVER: 67.192.225.138#53(67.192.225.138) ;; WHEN: Tue Aug 9 22:07:10 2011 ;; MSG SIZE rcvd: 125
Boot Cisco router from rommon
I work with some legacy Cisco routers that will occasionally boot into rommon after a power outage or scheduled reboot. It's almost as if the router can't locate the flash memory to load the correct IOS. Luckily I have out-of-band console access so I can tell it where to find the IOS.bin:
rommon 5 > boot flash:IOS_file.bin
dump packets with tcpdump
I always forget the parameters for this and have to look them up in the man page, so enough of that:
tcpdump -nnXSs 0 host hostname (or IP)
- "-nn" makes it not lookup hostnames in DNS and service names (in /etc/services) for respectively faster and cleaner output.
- "-X" makes it print each packet in hex and ascii; that's really the useful bit for tracking headers and such
- "-S" print absolute rather than relative TCP sequence numbers - If I remember right this is so you can compare tcpdump outputs from multiple users doing this at once
- "-s 0" by default tcpdump will only capture the beginning of each packet, using 0 here will make it capture the full packets.
Cisco IOS Keyboard Shortcuts
Below the complete list of the IOS shortcuts:
Ctrl+T: Swap the current character with the one before it
Ctrl+K: Erase all characters from the current cursor position to the end of the line
Ctrl+X: Erase all characters from the current cursor position to the beginning of the line
Ctrl+L: Reprint the line
Ctrl+C: Exit configuration mode
Ctrl+A: Moves the cursor to the beginning of the current line
Ctrl+E: Moves the cursor to the end of the current line
Ctrl+F: Moves forward one character
Ctrl+B: Moves backwards one character
Ctrl+R: Redisplays a line (starts a new line, with the same command shown)
Ctrl+U: Erases a line
Ctrl+W: Erases a word
Ctrl+Z: Exits configuration mode, returning you to privileged EXEC mode
Ctrl+P (or up arrow): Displays the last command entered
Ctrl+N (or down arrow): Displays previous commands entered
Tab: Completes a partial command
Esc, F: Moves forward one word
Esc, B: Moves backwards one word