Comments for Daren Matthews http://mccltd.net/blog Cisco Networking and Open Source Blog Sat, 28 Apr 2012 08:55:11 -0400 http://wordpress.org/?v=2.8 hourly 1 Comment on AirPcap NX, 802.11N and the Extension channel by Daren Matthews http://mccltd.net/blog/?p=1476&cpage=1#comment-39701 Daren Matthews Sat, 28 Apr 2012 08:55:11 +0000 http://mccltd.net/blog/?p=1476#comment-39701 Hi Adrian, No I'm afraid that AirPcap is not supported on OSX at the moment. See the FAQ from cacetech (Riverbed) here: http://www.cacetech.com/support/airpcap_faq.html#faq_12 I have not used Airmagnet so I can't really compare them, but as you'll see from many discussions of the pro's and cons of each, the jury is still out. What I would say though is IF you are a Wireshark devotee, then AirPcap is developed to work with it. Riverbed Technology acquired cacetech and the staff work alongside the inventors or Wireshark and winpcap (Loris Degioanni and Gerald Combs) , who also work for Riverbed. See the video here: http://mccltd.net/blog/?p=1116 Sorry I can't be more specific. I have provided some links here. Please also note that AirPcap is also designed to work with Cascade Pilot (which opens huge Wireshark files, as demostrated here: http://www.youtube.com/watch?v=5TIASlFDLwQ ) to provide useful graphical tools and analyses of the data contained within the capture file. There's a 30-day trial version of this software available on Riverbed's website. Airmagnet: http://www.flukenetworks.com/enterprise-network/wireless-network/AirMagnet-WiFi-Analyzer Cascade Pilot: http://www.riverbed.com/us/contact/cascade-pilot-30-day-trial.php (complete the form and then a link to the software download is sent to you, with the 30-day licence key). Video: http://www.riverbed.com/us/media/demos_videos/product_demos/cascade_introduction.php More videos: http://www.riverbed.com/us/media/demos_videos/product_demos/ Sorry I couldn't be more specific but I hope this helps anyway. - Daren. (Riverbed employee) Hi Adrian,

No I’m afraid that AirPcap is not supported on OSX at the moment. See the FAQ from cacetech (Riverbed) here: http://www.cacetech.com/support/airpcap_faq.html#faq_12

I have not used Airmagnet so I can’t really compare them, but as you’ll see from many discussions of the pro’s and cons of each, the jury is still out. What I would say though is IF you are a Wireshark devotee, then AirPcap is developed to work with it. Riverbed Technology acquired cacetech and the staff work alongside the inventors or Wireshark and winpcap (Loris Degioanni and Gerald Combs) , who also work for Riverbed. See the video here:
http://mccltd.net/blog/?p=1116

Sorry I can’t be more specific. I have provided some links here. Please also note that AirPcap is also designed to work with Cascade Pilot (which opens huge Wireshark files, as demostrated here: http://www.youtube.com/watch?v=5TIASlFDLwQ ) to provide useful graphical tools and analyses of the data contained within the capture file. There’s a 30-day trial version of this software available on Riverbed’s website.

Airmagnet:
http://www.flukenetworks.com/enterprise-network/wireless-network/AirMagnet-WiFi-Analyzer

Cascade Pilot:
http://www.riverbed.com/us/contact/cascade-pilot-30-day-trial.php (complete the form and then a link to the software download is sent to you, with the 30-day licence key).

Video:
http://www.riverbed.com/us/media/demos_videos/product_demos/cascade_introduction.php
More videos:
http://www.riverbed.com/us/media/demos_videos/product_demos/

Sorry I couldn’t be more specific but I hope this helps anyway.
- Daren. (Riverbed employee)

]]> Comment on AirPcap NX, 802.11N and the Extension channel by Adrian http://mccltd.net/blog/?p=1476&cpage=1#comment-39652 Adrian Fri, 27 Apr 2012 21:52:23 +0000 http://mccltd.net/blog/?p=1476#comment-39652 what are your thoughts on AirPcap adapter? Do you think its good value alternative to Airmagnet Wifi analyser? Is it supported on OSX natively? what are your thoughts on AirPcap adapter? Do you think its good value alternative to Airmagnet Wifi analyser? Is it supported on OSX natively?

]]> Comment on Quick Practice Lab: Configure CBAC by BR http://mccltd.net/blog/?p=644&cpage=1#comment-36924 BR Tue, 03 Apr 2012 03:55:31 +0000 http://mccltd.net/blog/?p=644#comment-36924 Very nice!!! i've been digging into this but still got confused! And thanks to you! Everything is clear to me now!!! Thank you! Very nice!!! i’ve been digging into this but still got confused! And thanks to you! Everything is clear to me now!!! Thank you!

]]> Comment on WCCP Load Distribution (Hash and Mask) by Daren Matthews http://mccltd.net/blog/?p=999&cpage=1#comment-34965 Daren Matthews Fri, 02 Mar 2012 21:04:55 +0000 http://mccltd.net/blog/?p=999#comment-34965 Hi Karol, Great stuff! Also, take a look at these examples (excuse the poor alignment) - one default and one non-default to see how mask is applied: Default WCCP Mask: Field...........................Mask (Hex)................Mask (Binary) Source IP address.........0000........................0000000000000000 Dest. IP address...........1741........................0001011101000001 Source Port..................0000.......................0000000000000000 Dest Port.....................0000.......................0000000000000000 Non-Default WCCP Mask: Field............................Mask(Hex)................Mask (Binary) Source IP address..........2480........................0010010010000000 Dest. IP address............0208........................0000001000001000 Source Port..................0003........................0000000000000011 Dest Port.....................0000........................0000000000000000 Hi Karol,

Great stuff! Also, take a look at these examples (excuse the poor alignment) – one default and one non-default to see how mask is applied:

Default WCCP Mask:
Field………………………Mask (Hex)…………….Mask (Binary)
Source IP address………0000……………………0000000000000000
Dest. IP address………..1741……………………0001011101000001
Source Port………………0000…………………..0000000000000000
Dest Port…………………0000…………………..0000000000000000

Non-Default WCCP Mask:
Field……………………….Mask(Hex)…………….Mask (Binary)
Source IP address……….2480……………………0010010010000000
Dest. IP address…………0208……………………0000001000001000
Source Port………………0003……………………0000000000000011
Dest Port…………………0000……………………0000000000000000

]]> Comment on Hacking APC Masterswitch Admin Password by Daren Matthews http://mccltd.net/blog/?p=36&cpage=1#comment-34762 Daren Matthews Tue, 28 Feb 2012 18:18:54 +0000 http://mccltd.net/blog/?p=36#comment-34762 Thanks Lane! yes a Cisco rollover connection takes pins 1 through 8 of an RJ-45 cable and flips them, so that 1 is 8, 2 is 7, 3 is 6, and 4 is 5. The flat blue RJ-45 cables that come with most Cisco equipment is wired in this manner. So the pin-outs of the RJ-45 end are the same as the flat blue Cisco "rollover" cable. An RJ-45 to DB-9 convertor takes these "rolled" signals and places them onto these pins: RJ-45 DB-9 1========>7 2========>4 3========>3 4========>5 5========>5 6<========2 7<========6 8<========8 The challenge then is taking the pinouts from one of the RJ-45 ends and converting the signals from Cisco's rollover to a Null-modem configuration. Cisco also sell some End connectors, one of which is the "CAB-25AS-FDTE". I think that this convertor will change the rollover to connect to a DB-25 RS-232 DTE interface. The APC uses a DB-9 RS-232 DTE signalling, so my thought is that using the CAB-25AS-FDTE with a standard DB-9 to DB-25 convertor will work. Please note though that this recommendation has not been proven and this advice is offered in good faith as best-effort. Thanks Lane! yes a Cisco rollover connection takes pins 1 through 8 of an RJ-45 cable and flips them, so that 1 is 8, 2 is 7, 3 is 6, and 4 is 5. The flat blue RJ-45 cables that come with most Cisco equipment is wired in this manner.

So the pin-outs of the RJ-45 end are the same as the flat blue Cisco “rollover” cable. An RJ-45 to DB-9 convertor takes these “rolled” signals and places them onto these pins:

RJ-45 DB-9
1========>7
2========>4
3========>3
4========>5
5========>5
6<========2
7<========6
8<========8

The challenge then is taking the pinouts from one of the RJ-45 ends and converting the signals from Cisco’s rollover to a Null-modem configuration.

Cisco also sell some End connectors, one of which is the “CAB-25AS-FDTE”. I think that this convertor will change the rollover to connect to a DB-25 RS-232 DTE interface. The APC uses a DB-9 RS-232 DTE signalling, so my thought is that using the CAB-25AS-FDTE with a standard DB-9 to DB-25 convertor will work.

Please note though that this recommendation has not been proven and this advice is offered in good faith as best-effort.

]]> Comment on Hacking APC Masterswitch Admin Password by lane http://mccltd.net/blog/?p=36&cpage=1#comment-34747 lane Tue, 28 Feb 2012 15:17:26 +0000 http://mccltd.net/blog/?p=36#comment-34747 For the cable, I use a Cisco serial cable with a hand built adaptor to take the RJ-45 to NULL modem. Comes in very handy on a number of devices. You can find the pin-outs for the RJ-45 to null by doing a google search and a little work. This site was just what the Dr. ordered. Nice job in presenting the material. My 9211 had the passwords in the correct place. Once you break it, go here to upgrade to the last available firmware (not available from APC anymore :-( For the cable, I use a Cisco serial cable with a hand built adaptor to take the RJ-45 to NULL modem. Comes in very handy on a number of devices. You can find the pin-outs for the RJ-45 to null by doing a google search and a little work.

This site was just what the Dr. ordered. Nice job in presenting the material. My 9211 had the passwords in the correct place. Once you break it, go here to upgrade to the last available firmware (not available from APC anymore :-(

]]> Comment on WCCP Load Distribution (Hash and Mask) by Karol http://mccltd.net/blog/?p=999&cpage=1#comment-34444 Karol Thu, 23 Feb 2012 11:27:39 +0000 http://mccltd.net/blog/?p=999#comment-34444 <a href="#comment-34417" rel="nofollow">@Karol </a> Hi Daren! I've figured it out! 0x1741 is 1011101000001 in binary notation, which has 6 bits set to 1. That's why it will give us only 2^6 possible buckets (index values) after performing a bitwise AND using this mask and any IP Address. @Karol
Hi Daren!
I’ve figured it out! 0×1741 is 1011101000001 in binary notation, which has 6 bits set to 1. That’s why it will give us only 2^6 possible buckets (index values) after performing a bitwise AND using this mask and any IP Address.

]]> Comment on WCCP Load Distribution (Hash and Mask) by Karol http://mccltd.net/blog/?p=999&cpage=1#comment-34417 Karol Wed, 22 Feb 2012 21:43:41 +0000 http://mccltd.net/blog/?p=999#comment-34417 Hi Daren! I'm confused. How do you result in 2^6 buckets using the 0x1741 mask? Hi Daren!
I’m confused. How do you result in 2^6 buckets using the 0×1741 mask?

]]> Comment on Using TCPDUMP to Filter on DSCP by Daren Matthews http://mccltd.net/blog/?p=1199&cpage=1#comment-34411 Daren Matthews Wed, 22 Feb 2012 20:00:57 +0000 http://mccltd.net/blog/?p=1199#comment-34411 If you use a Riverbed Steelhead Appliance, you can apply the same tcpdump filter but using the inpath interface: Steelhead # tcpdump -i inpath0_0 -vvv (ip and (ip[1] & 0xfc) >> 2 == 20) If your Steelhead uses more than one inpath interface, some of the packets may use one interface and the others a second. So, make sure that you open TWO cli sessions and write the capture to a pcap file: Steelhead # tcpdump -i inpath0_0 -vvv (ip and (ip[1] & 0xfc) >> 2 == 20) -w cap-inpath-0.cap Steelhead # tcpdump -i inpath0_0 -vvv (ip and (ip[1] & 0xfc) >> 2 == 20) -w cap-inpath-1.cap Then open one file in Wireshark and then MERGE with the second capture. Alternatively, use the "Custom Filter" field from the Web interface (Reports > diagnostics > tcpdump) and tick the lan0_0, wan0_0 and lan0_1 and wan0_1 interfaces. Again, once the capture is complete and you've downloaded the pcap files, open one and merge with the second. If you use a Riverbed Steelhead Appliance, you can apply the same tcpdump filter but using the inpath interface:

Steelhead # tcpdump -i inpath0_0 -vvv (ip and (ip[1] & 0xfc) >> 2 == 20)

If your Steelhead uses more than one inpath interface, some of the packets may use one interface and the others a second. So, make sure that you open TWO cli sessions and write the capture to a pcap file:

Steelhead # tcpdump -i inpath0_0 -vvv (ip and (ip[1] & 0xfc) >> 2 == 20) -w cap-inpath-0.cap

Steelhead # tcpdump -i inpath0_0 -vvv (ip and (ip[1] & 0xfc) >> 2 == 20) -w cap-inpath-1.cap

Then open one file in Wireshark and then MERGE with the second capture.

Alternatively, use the “Custom Filter” field from the Web interface (Reports > diagnostics > tcpdump) and tick the lan0_0, wan0_0 and lan0_1 and wan0_1 interfaces. Again, once the capture is complete and you’ve downloaded the pcap files, open one and merge with the second.

]]> Comment on Riverbed Steelhead through Cisco ASA by James http://mccltd.net/blog/?p=959&cpage=1#comment-33424 James Fri, 03 Feb 2012 04:10:59 +0000 http://mccltd.net/blog/?p=959#comment-33424 Just dealt with this on an ASA 8.0.x, and we needed to add service-policy policyname global (I'm not the firewall admin, he just told me that's what was needed) Just dealt with this on an ASA 8.0.x, and we needed to add

service-policy policyname global

(I’m not the firewall admin, he just told me that’s what was needed)

]]>