Decode CDP or LLDP packets with tcpdump

by Pedro M. S. Oliveira | Jun 25, 2017 | Linux

If you don’t have LLPDd available you may use tcpdump to get all LLDP information. Bellow are a few examples on how you can do it.CDP

## This will often show you the Cisco chassis switch, then use your firms asset management software to find the upstream switch.

## -s 1500 capture 1500 bytes of the packet (typical MTU size)

## ether[20:2] == 0x2000 – Capture only packets that are starting at byte 20, and have a 2 byte value of hex 2000

interface=eth0 ; tcpdump -i ${interface}-v -s 1500 -c 1 'ether[20:2] == 0x2000'

LLDP

## Switch:

interface=eth0 ; tcpdump -i ${interface} -s 1500 -XX -c 1 'ether proto 0x88cc'

## Port and CDP Neighbor Info:

interface=eth0 ; tcpdump -i ${interface} -v -s 1500 -c 1 '(ether[12:2]=0x88cc or ether[20:2]'

If you need more info about CDP or LLDP have a look on the links bellow.

CDP stands for Cisco Discovery Protocol, which is a layer 2 protocol and is used to share information about other directly connected Cisco equipment (WikiPedia). LLDP stands for Link Layer Discovery Protocol and replaces CDP. LLDP is a vendor-neutral Data Link Layer protocol used by network devices for advertising of their identity, capabilities and neighbours (WikiPedia).This is useful to find out what VLAN your network interface is connected to (assuming that your using tagged VLANS), or what port am I plugged into on which switch.

udev – Change network card label

by Pedro M. S. Oliveira | Mar 13, 2015 | Linux

Several time I’ve been asked how to rename a network card label on a Linux system, this can be achieve by following the steps mentioned bellow.

Stop networking

service networking stop

The network kernel module needs to be removed, but first you need to identify the right kernel module

sudo lspci -k | grep -i -A4

ethernet 04:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 07) Subsystem: Sony Corporation Device 9099
Kernel driver in use: r8169
Kernel modules: r8169

Reload rules

udevadm control –reload-rules

Edit udev rules by editing the /etc/udev/rules.d/*persistent-net.rules, in the example bellow we will set previous eth0 to eth5

# PCI device 0x10ec:0x8168 (r8169)

SUBSYSTEM==”net”, ACTION==”add”, DRIVERS==”?*”, ATTR{address}==”d4:3d:7e:xx:xx:xx”, ATTR{dev_id}==”0x0″, ATTR{type}==”1″, KERNEL==”eth*”, NAME=”eth5″

Remove the module in question

rmmod r8169

I’m using an realtek chip on my Vaio laptop, you should replace r8169 with the module in your system
Request device events from the kernel

udevadm trigger

Start network

service network restart

Et voila! You should have now a network card named eth5 on your system.
If you want to learn more about udev and udevadm check the info here or just type man udevadm on the command line.

Have fun,

Pedro Oliveira

OpenVPN username/password authentication on DD-WRT

by Pedro M. S. Oliveira | Jan 19, 2014 | Daily life, Linux

In this post I’ll be using DD-WRT build 23320 and an ASUS RT-AC66U router to set up two “always on” VPNs (using openvpn) using username / password authentication. This router supports all the new wifi protocols and in theory has over 1Gbps ability using dual band, also supports 2.4GHz and 5.0Ghz band communication. I’ve used it with DD-WRT without any stability issues for more than 6 months now.

DD-WRT is one of my favourite linux distros, it’s specially made to work on home routers, APs and small appliances. You may download it from: http://www.dd-wrt.com and make sure your equipment is supported by looking into the router database.

Apart from the regular home router needs DD-WRT also support a complete set of network functionality like:

FreeRadius
PPPoE Server
VPN
USB (printing/mass storage)
NAS
Hotspot
SIP Proxy
Adblocking
Webserver
QOS

As I said, I’ll be talking about enhancing the standard functionality of openvpn in dd-wrt. OpenVPN is available on most of the DD-WRT appliances, nevertheless you can only have one vpn connected and it doesn’t support username/password authentication.

Let me describe the setup:

Home at country A (localnet 192.168.17.0/27)
Home at country B (localnet 192.168.18.0/27)
External third-party net at country C (localnet 172.17.31.0/23)
In order to see IPTV on country A I need to route all the IPTV network through openvpn server at country B
I want to have full network access to networks on country B and C from country A
I want to have full network access from country B to country A
I don’t want access from country C on country A (or B but it’s not relevant for us)

What’s needed:

DD-WRT enabled router (in this case ASUS RT-AC66U) with support for openvpn (mega version).
OpenVPN endpoint* (in this examples we will be using 2 endpoints, one for country B and another to country C).
User access to those endpoint (username/password/certificates).

* as an endpoint you may use anykind of applyance or custom-made openvpn solution, if you want to build it fast I’d recommend you Endian FW, Pfsense, or your own OpenVPN installation.

DD-WRT has a very nice graphical interface and we will use it to build our setup, before I configured the router thought the command line, storing all the config data in nvram with the commands:

nvram set _VAR1_=”config blabla”

nvram commit

and the created a startup script that would read all those variables and create the config files.

But as I said there’s a better way of doing it and that’s by using the startup option on the command menu that can be found under administration.

We will create a unique script that will be read when the DD-WRT comes to live and startup our VPNs.

Just go to press edit under the startup place older.

You may insert the text bellow, I’ll describe what it does further on the post.

mkdir /tmp/openvpncl cat > /tmp/openvpncl/myauth1.txt << EOF MY_USER_NAME_GOES_HERE MY_PASSWORD_GOES_HERE EOF cat > /tmp/openvpncl/myauth2.txt << EOF MY_USER_NAME_GOES_HERE MY_PASSWORD_GOES_HERE EOF chmod 500 /tmp/openvpncl/myauth1.txt chmod 500 /tmp/openvpncl/myauth2.txt cat > /tmp/openvpncl/route-up_1.sh << EOF #!/bin/sh route add -net 23.13.0.0/16 gw xxx.xxx.xxx.xxx #IPTV ROUTES route add -net 80.24.178.0/23 gw xxx.xxx.xxx.xxx #IPTV ROUTES route add -net 10.2.2.0/24 gw xxx.xxx.xxx.xxx #IPTV ROUTES route add -net 10.22.0.0/16 gw xxx.xxx.xxx.xxx #IPTV ROUTES EOF cat > /tmp/openvpncl/route-up_2.sh << EOF #!/bin/sh route add -net 16.13.0.0/16 gw xxx.xxx.xxx.xxx #EXT NET ROUTES route add -net 12.24.178.0/23 gw xxx.xxx.xxx.xxx #EXT NET ROUTES route add -net 13.2.2.0/24 gw xxx.xxx.xxx.xxx #EXT NET ROUTES route add -net 10.232.0.0/16 gw xxx.xxx.xxx.xxx #EXT NET ROUTES EOF chmod 500 /tmp/openvpncl/route-up_1.sh chmod 500 /tmp/openvpncl/route-up_2.sh cat > /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_1.conf << EOF client proto udp resolv-retry infinite nobind persist-key persist-tun ca /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_1.ca auth-user-pass /tmp/openvpncl/myauth1.txt script-security 2 dev tap1 cipher bf-cbc auth sha1 remote CHANGE_TO_HOSTNAME_or_IP_1 1194 comp-lzo no tls-client tun-mtu 1500 mtu-disc yes fast-io EOF cat > /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_2.conf << EOF client proto udp resolv-retry infinite nobind persist-key persist-tun ca /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_2.ca auth-user-pass /tmp/openvpncl/myauth2.txt script-security 2 dev tap2 cipher bf-cbc auth sha1 remote CHANGE_TO_HOSTNAME_or_IP_2 1194 comp-lzo no tls-client tun-mtu 1500 mtu-disc yes fast-io EOF cat > /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_1.ca << EOF -----BEGIN CERTIFICATE----- YOUR_CERTIFICATE_GOES_HERE__dasdadasdasdsasalzELMAkGA1UE BhMCUFQx CzAJBgNVBAgTAkxYMQswCQYDVQQHEwJMWDEbMBkGA1UEChM Sd3d3LmxpbnV4LWdl ZXguY29tMQswCQYDVQQLEwJJVDEeMBwGA1UEAx MVd3d3LmxpbnV4LWdlZXguY29t IENBMSQwIgYJKoZIhvcNAQkBFhVwb XNvbGl2ZWlyYUBnbWFpbC5jb20wHhcNMTAw MTE0MTk0NzE0WhcNMjUx MTI1MTAyMTU0WjCBlzELMAkGA1UEBhMCUFQxCzAJBgNV BAgTAkxYMQs wCQYDVQQHEwJMWDEbMBkGA1UEChMSd3d3LmxpbnV4LWdlZXguY29t MQ swCQYDVQlfhoashoadasiodasiodqwenzczcpzocp4LWdlZXguY29tIE NBMSQw IgYJKoZIhvcNAQkBFhVwbXNvbGl2zdsadsasdadsZWlyYUBnb -----END CERTIFICATE----- EOF cat > /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_2.ca << EOF -----BEGIN CERTIFICATE----- YOUR_CERTIFICATE_GOES_HERE__dasdadasdasdsasalzELMAkGA1UE BhMCUFQx CzAJBgNVBAgTAkxYMQswCQYDVQQHEwJMWDEbMBkGA1UEChM Sd3d3LmxpbnV4LWdl ZXguY29tMQswCQYDVQQLEwJJVDEeMBwGA1UEAx MVd3d3LmxpbnV4LWdlZXguY29t IENBMSQwIgYJKoZIhvcNAQkBFhVwb XNvbGl2ZWlyYUBnbWFpbC5jb20wHhcNMTAw MTE0MTk0NzE0WhcNMjUx MTI1MTAyMTU0WjCBlzELMAkGA1UEBhMCUFQxCzAJBgNV BAgTAkxYMQs wCQYDVQQHEwJMWDEbMBkGA1UEChMSd3d3LmxpbnV4LWdlZXguY29t MQ swCQYDVQlfhoashoadasiodasiodqwenzczcpzocp4LWdlZXguY29tIE NBMSQw IgYJKoZIhvcNAQkBFhVwbXNvbGl2zdsadsasdadsZWlyYUBnb -----END CERTIFICATE----- EOF chmod 700 /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_1.ca chmod 700 /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_2.ca sleep 5

(nohup openvpn –config /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_1.conf –route-up /tmp/openvpncl/route-up1.sh &) > /dev/null
(nohup openvpn –config /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_2.conf –route-up /tmp/openvpncl/route-up2.sh &) > /dev/null

If you know openvpn a bit deeper you may find odd that I’m not using LZO compression, this is done on purpose, LZO will limit the bandwidth available on the router because of cpu usage. In my case most of the traffic is already compressed (ssh, mp4, images, and so on). With LZO I would find my cpu near 100% with traffic around 25Mbps. So I prefer to disable it and compress the traffic between the endpoints at application level. This allows me to have 100Mbps+ throughput on the VPN link with this router + DD-WRT config.

You will have to edit the firewall place older on DD-WRT , once again press edit and insert the following:

iptables -I FORWARD 1 -i br0 -o tap1 -j ACCEPT
iptables -I FORWARD 2 -i tap1 -o br0 -j ACCEPT
iptables -I FORWARD 3 -i br0 -0 tap2 -j ACCEPT
iptables -I INPUT 1 -i tap1 -o br0 -j ACCEPT

The startup script is nothing more than a set of commands that will be run to create the configuration files on DD-WRT , please be advised that you will have the VPNs in plain text on the configuration, this may pose a security risk. Nevertheless it’s not less insecure than have the full configuration relaying on certificates as if someone is able to retrieve your data from DD-WRT he will also be able to retrieve the certificates. If you really don’t want to have the password on plain text you won’t be able to fully automate the VPN startup process.

The iptables rules are need in order to allow access to the different networks, this is the most basic set of rules that will allow the configuration I proposed at the beginning. Finally please don’t forget to change the route-upX.sh scripts to match your needs.

Happy networking with DD-WRT!

Pedro Oliveira

Qualcomm, Inc. Sony Gobi 2000 Wireless Modem – OpenSuSE 12.1 – Vaio VPCSB

by Pedro M. S. Oliveira | Nov 24, 2011 | Daily life, Linux

Hello,

Recently I’ve updated my openSuSE 11.4 to the latest openSuSE 12.1, it was a hassle free upgrade and my system is running smoothly, nevertheless I didn’t use one of my favorite features on this laptop, the built-in GSM card.
Today I needed it and, bummer, it didn’t work, even if I could see it in network manager, I remembered I didn’t install the firmware (this card needs a firmware to be inserted every time the device boots). So I put the files in /lib/firmware/gobi and run gobi_loader it ran just perfect.
Next i reboot the laptop, but it didn’t load the firmware automatically, I’ve checked udev and the entry was missing.

So in order to use the Qualcomm, Inc. Sony Gobi 2000 Wireless Modem with the Vaio VPCSB you’ll need:

Install gobi_loader

sudo zypper in gobi_loader

Copy the firmware files to /lib/firmware/gobi (you can find these files on the net (i won’t put them here because of license issues) the names;

amss.mbn apps.mbn UQCN.mbn

With the latest gobi_loader from SuSE it’s all. But it still doesn’t work do the following:

Create a new udev rule file (with joe, vi, kwrite, gedit, etc), just don’t forget you must be root or use sudo:

vi /etc/udev/rules.d/61-gobi.rules

Content:

# udev rules for firmware loading on qualcomm gobi devices

ACTION==”add”, SUBSYSTEM==”tty” KERNEL==”ttyUSB*” GOTO=”gobi_rules”

GOTO=”gobi_rules_end”

LABEL=”gobi_rules”
ATTRS{idVendor}==”05c6″, ATTRS{idProduct}==”9225″, RUN+=”gobi_loader -2000 $env{DEVNAME} /lib/firmware/gobi”
LABEL=”gobi_rules_end”

Cheers,
Pedro Oliveira

Galaxy tab 10.1 – User review

by Pedro M. S. Oliveira | Nov 2, 2011 | Linux, Reviews

Hello,
Once again I’m writing about stuff I recently bought. This time it’s about my Samsung Galaxy Tab 10.1 (LTE, 16GB storage).
I’ve bought it 2 months ago (more or less) and it’s been my companion since, it’s my favorite gadget and the one i use more when I’m not working. So… why do i like it this much, what is it’s strengths and weakness?

Strong points:

Size and looks
Processing power and available ram
Applications available
Net
Display quality and resolution
Sound quality including microphone
Flash availability
Cameras quality despite low resolution
Battery endurance
Easy root access

Weak points

Samsung software including slow update release cycle and specially touchwiz
Android honeycomb (I’ll explain this afterwards)
Connectors place (some on the top, some at the bottom)
16GB storage (I never found the 32 GB available on stores (LTE version)
No sdcard slot (although there’s an external adapter)
No USB mass storage availability (that’s really annoying)

Apps that I really enjoy:

Angry birds
Astro
Better Terminal
Bloomberg
Dolphin Browser
Evernote
ezPDF reader
Facebook
Firefox
HP Home & Biz (for printing support)
LogMeIn
Network Info II
Network Mapper
OpenVPN
PressReader (a must)
RomManager (a must)
ScreamingNetTools (a must)
Skype (a must have)
SuperUser
Thumbs keyboard
Titanium Backup
Torque (if you like to control your car with your mobile/tab)
WifiAnalyser
X Construct
and many others 🙂

Conclusions
The galaxy tab is great and I love it. it has a large display that allows you to see perfect high def. movies during a flight, the battery run for 12+ hours (in flight mode), I’ve also about 50 apps that complement my tab usage so I find the apps availability very good. I also enjoy the freedom that LTE (4G,3G) gives me while on the road.
I also enjoy the ability to use it for remote access to servers (MS and Linux), it’s my first gadget where i can really do some work for a while without getting too tired (if you use ssh on your mobile phone you know what I mean).
Another good thing about the Galaxy Tab 10.1 is that I almost don’t use my laptop at home, it’s perfect for browsing the web and replying email, but better that it all it’s the newspaper and magazine applications that allow me to read all the things I want without carrying too much stuff with me.

But, and there’s always a but, Samsung and Google fail on this device and it’s software. Samsung uses touchwiz on top of honeycomb, and thats a pain, then the kies software for the desktop is only available on windows, and to finish it Google didn’t release the source code for honeycomb.
Most of the bad things on this device don’t affect the regular, non informed user but they limit the hardware usage where you don’t have the freedom to choose the type of installation you like, you’ll have a hard time to compile your own kernel modules and to tune your hardware as you like it. All this is more of Google fault than Samsung but there’s hope with ice cream sandwich (android v4).
on Samsung I complain on the slow release cycle and on their Touchwiz software that is a piece of crap, also the desktop software is also buggy and slow (I just used it twice though).
Whenever I need to transfer a file to the Galaxy Tab I use an ssh server on the Tab and send the file through wireless connection with scp or rsync.

To finish I recommend this to everyone, it made my life easier both on the professional side as well at home, it’s a great product, well build with quality components and very easy to use.
Now I only hope Samsung do a better work on the software side, the device is sure worth it.
Cheers,
Pedro Oliveira

« Older Entries