This recipe shows how to determine which process or application uses a TCP connection which you saw listed in your netstat output. The exampe below is for Linux. Windows is further down in the post:
In this example, I have a small ARM Linux device being remotely managed via the “Dataplicity” service. To use the service you install a script which runs on startup. It seems that the script sets up an SSH connection from the managed ARM device to the dataplicity server, so that when you login to their Admin portal and choose the “terminal” option, you access the Linux terminal which is already setup.
The netstat output shows a session outbound from the ARM machine (10.10.0.126) to the dataplicity server (96.126.99.204) on TCP/443 (SSL):
root@raspberrypi:/# netstat -an | grep ‘:443’
tcp 0 48 10.10.0.126:46098 96.126.99.204:443 ESTABLISHED
the next step is to find which process(es) use the (source) TCP port 46098:
Read more…
After a core network switch reload, a strange problem occured for 5250 terminal sessions to an AS/400. Sometimes they worked and sometimes not. The same behaviour was observed using ping from within the same IP subnet.
The problem appeared to be the Ethernet framing on the AS/400. The ARP replies kept changing between type SNAP and ARPA. An ARP entry on the core routers showed the mac address of the AS/400 but using Ethernet “SNAP” encapsulation, rather than “ARPA”, the latter of which is the default encapsulation type for the Cisco 6500’s which we were using. Read more…
nMap uses a list of “default” applications in the nmap services file, used to list services running on scanned open ports. To see the “real” application execute nMap using the “-sV” option. Read more…
When troubleshooting and using debug, it is possible to create logging lists to filter out messages which are unrelated to your problem.
%ASA-2-106016: Deny IP spoof from (199.89.222.7) to 192.168.240.1 on interface Inside
logging enable
logging timestamp
logging buffered warnings
logging buffer-size 65000
logging list ACL-MESSAGES_LOG-LIST message 106023
logging console ACL-MESSAGES_LOG-LIST
logging monitor ACL-MESSAGES_LOG-LIST
show log
A quick aide-memoir about how to go about capturing traffic from the Windows command line. You must be in the Wireshark directory (or have the location in your PATH environment settings):
1. Find interface Index:
C:\Program Files (x86)\Wireshark>tshark -D
1. \Device\NPF_{B3BA19B1-3083-4FF5-9CA5-09E33CABEC93} (Microsoft)
2. \Device\NPF_{E7CE2EDC-D965-44DF-A7F2-A14B4A762B40} (Sun)
3. \Device\NPF_{B88703B3-2E09-4FC7-A061-21A94A22BBBE} (Intel(R) 82579LM Gigabit
Network Connection) Read more…
FTP over SSL (ftps) – Explicit SSL vs. Implicit SSL / Active mode vs Passive mode
Explicit SSL:
ACTIVE MODE:
– A connection to the server is made on TCP/21 (ftp-control channel)
– A connection to the server is made on TCP-20 (ftp-data). Read more…
Browsers can setup two or more TCP connections to an HTTP server to facilitate parallel downloads. As the browser parses the Web page it is aware of which objects it needs to download.
Rather than send the requests in series over a single connection, the requests are sent over parallel connections to enable faster downloading of the Web page. Another technique used by browsers to improve the performance is “HTTP pipelining”. Read more…
Debug flow basic
shows the flow of traffic through the firewall, allowing for troubleshooting route selection, policy selection, any address translation and whether the packet is received or dropped by the firewall. Read more…
1. You must have Wireshark successfully installed on capturing host
2. You must have the AirPcap Wireless Capture Adapter successfully installed on capturing host Read more…
Another aide-memoir:
daren@Shimla:~$ sudo apt-get install wireshark
[sudo] password for daren:
Reading package lists… Done Read more…