Archive for the ‘linux’ Category

How to Determine which Process or Application uses a TCP Connection

May 14th, 2015 2 comments

This recipe shows how to determine which process or application uses a TCP connection which you saw listed in your netstat output.  The exampe below is for Linux.  Windows is further down in the post:

In this example, I have a small ARM Linux device being remotely managed via the “Dataplicity” service. To use the service you install a script which runs on startup. It seems that the script sets up an SSH connection from the managed ARM device to the dataplicity server, so that when you login to their Admin portal and choose the “terminal” option, you access the Linux terminal which is already setup.

The netstat output shows a session outbound from the ARM machine ( to the dataplicity server ( on TCP/443 (SSL):

root@raspberrypi:/# netstat -an | grep ‘:443’

the next step is to find which process(es) use the (source) TCP port 46098:

Read more…

Understanding F5 BIG-IP Memory Usage

March 30th, 2015 No comments

Any non-tmsh command you use in the HMS bash shell (like free) will generally only relate to the HMS. This is why there is an apparent discrepancy between the tmsh “show system memory” command and the Linux “free” command: Read more…

Categories: linux Tags:

Case Study: F5 Load Balancer and TCP Idle Timer / fastL4 Profile

March 6th, 2015 No comments

This describes a problem whereby a client connects to a server then waits for a report to complete before retrieving it.  The report took longer than 5 minutes to complete and the TCP session remained idle whilst the client waited.  After a while the TCP connection dropped.

Packet traces were taken at the client, server and intermediate points, which included an F5 load balancer which simply acted as a router. The analysis of the packet traces revealed some interesting things..

What was happening was that the TCP 3-way handshake completed to setup the TCP session.  Then the client sends an HTTP GET requestor method (of TCP segment length 734 bytes) to submit the data, which is then received by a client-side firewall.  The firewall then forwards it onwards towards the server in the direction of an F5 load balancer …

BUT: The HTTP GET doesn’t seem to arrive at the F5.  The server-side firewall however, DID receive the GET and forwards it onto the application server, which then sends back an ACK to the client – which DOES go via the F5. Huh?

It was initially thought that the The F5 therefore saw an ACK packet for a TCP segment that it hasn’t seen, so it sends a RST packet in both directions to tear down the TCP session. This is a little confusing because the TCP session goes through the F5 but the HTTP GET request seemingly bypasses the F5 but does arrive at the server. After a bit of head-scratching and furrowed brows because it made no sense.  The delay. The fact that there clearly wasn’t any asymmetry anyway because the ACK came back via the same path. So why the reset? Read more…

Categories: linux Tags:

Using nMap to Identify Applications

March 3rd, 2015 No comments

nMap uses a list of “default” applications in the nmap services file, used to list services running on scanned open ports.  To see the “real” application execute nMap using the “-sV” option. Read more…

TCP Auto-Tuning

November 17th, 2014 No comments

There is a field in each TCP segment called the “receive window”.  The receiver is essentially signalling the amount of data that it can accept, or is willing to accept.  This post describes the metrics and overhead.

The overhead is: window/2^tcp_adv_win_scale (tcp_adv_win_scale default is 2) So for linux default parameters for the recieve window (tcp_rmem):
87380 – (87380 / 2^2) = 65536. Read more…

Categories: linux Tags:

Simple Bash Script to Backup Netscreen ISG / SSG Firewall

November 7th, 2013 No comments

This script is a simple, interactive way to backup and date-stamp your juniper Netscreen ISG/SSG (ScreenOS) firewall configurations. The script copies the configurations from the firewall using scp. Configurations older than one day ( -mtime +1) are archived off to a bz2 compressed file.  Archives older than 60 days ( -mtime +60 ) are removed from the disk.

The usage is: [ip address / hostname of Netscreen].  (VIEW SCRIPT)

Read more…

Running Snoop on Netscreen Firewall

September 26th, 2013 No comments

An aide-memoir:

ScreenOS-> undebug all
ScreenOS-> clear db Read more…

Categories: Juniper, linux, Security Tags: ,

Linux: Interpreting cat /proc/meminfo

May 13th, 2013 No comments

The entries in the /proc/meminfo can help explain what’s going on with your memory usage, if you know how to read it.

Example of “cat /proc/meminfo”:

root:	total:    	used:    	free:  		shared:	buffers:	cached:
Mem:  	1055760384	1041887232	13873152	0	100417536 	711233536
Swap: 	1077501952  	8540160 	1068961792

Read more…

Categories: linux Tags:

Installing Wireshark on Ubuntu Linux

May 2nd, 2013 No comments

Another aide-memoir:

daren@Shimla:~$ sudo apt-get install wireshark

[sudo] password for daren:
Reading package lists… Done Read more…

Categories: linux, Protocol Analysis Tags:

iproute2 Crib Notes

April 10th, 2013 No comments

An aide-memoir from practicing iproute2, the utilities used to control TCP/IP networking and Linux Traffic Control

“ip link list” – shows us our links

[Daren@home Daren]$ ip link list
1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: dummy: <BROADCAST,NOARP> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1400 qdisc pfifo_fast qlen 100
link/ether 48:54:e8:2a:47:16 brd ff:ff:ff:ff:ff:ff
4: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:e0:4c:39:24:78 brd ff:ff:ff:ff:ff:ff
3764: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 10
Read more…

Categories: linux Tags: