Friday, May 28, 2004

Plugins for Firebird

Don't care to see Macromedia Flash on Web sites while using Firefox? Try installing Flashblock. You can install the .xpi file as a user and have it work at sites like Tom's Hardware as soon as you restart Firefox.

Another cool plugin for Firebird (or Mozilla for that matter) is Live HTTP Headers. You can use this plugin to watch your browser's HTTP requests and the server's HTTP responses. To install this plugin, change the permissions on your /usr/X11R6/lib/firefox/lib/mozilla-1.6/components and /usr/X11R6/lib/firefox/lib/mozilla-1.6/chrome directories to be writable by the user installing the plugin. Alternatively, run Firefox as root and then install the plugin.

Update: Check out the Web Developer Firefox extension. It's incredibly powerful.

Building Kernel and World on One System, Installing on Another

I'd read Tracking for Multiple Machines in the FreeBSD Handbook, which gives hints on building the FreeBSD userland, or "world," and kernel on one system and installing them on another system. You might do this because the target system is slow and your build machine is fast, or because you prefer to let production machines serve users rather than use CPU cycles rebuilding the world and kernel.

Inspired by this post, I decided to try building the world and kernel on my package builder, "neely," and installing them on target systems. I chose my sensor platform "bourque," as a test system.

First I made sure that neely's world was up to date. I'm tracking the security release of FreeBSD 5.2 (which takes care of 5.2.1). My /usr/local/etc/release-supfile looks like this, with all of the commented lines removed:

*default base=/usr
*default prefix=/usr
*default release=cvs tag=RELENG_5_2
*default delete use-rel-suffix

*default compress


I ran this script,, which takes care of neely's world and kernel:

# Source updated by Richard Bejtlich
# 1215 07 Nov 03

SERVER=`fastest_cvsup -q -c us`

HOSTNAME=`/bin/hostname -s`
echo "Beginning to update $HOSTNAME."

echo "cvsup -g -L 2 -h $SERVER /usr/local/etc/release-supfile"
cvsup -g -L 2 /usr/local/etc/release-supfile

echo "cd /usr/src/"
cd /usr/src/
echo "/usr/src/usr.sbin/mergemaster/ -p"
/usr/src/usr.sbin/mergemaster/ -p

echo "cd /usr/obj"
cd /usr/obj
echo "chflags -R noschg *"
chflags -R noschg *
echo "rm -rf *"
rm -rf *
echo "cd /usr/src"
cd /usr/src
echo "make cleandir"
make cleandir
echo "make cleandir"
make cleandir
echo "make buildworld"
make buildworld

echo "cd /usr/src"
cd /usr/src
echo "make buildkernel KERNCONF=$HOSTNAME"
make buildkernel KERNCONF=$HOSTNAME
echo "make installkernel KERNCONF=$HOSTNAME"
make installkernel KERNCONF=$HOSTNAME

echo "make installworld"
make installworld
echo "/usr/src/usr.sbin/mergemaster/"

echo "Done updating $HOSTNAME"

Now that neely's world and kernel were up to date, I decided to rebuild the kernel for other machines.

I created a separate kernel configuration file for bourque in neely's /usr/src/sys/i386/conf directory. I named that file "bourque" and edited it to suit the bourque system's kernel needs. Next I created the following script to build a kernel for bourque:

neely:/usr/local/bin$ cat
# Kernel rebuilder by Richard Bejtlich
# 1550 26 May 04

echo "Beginning to rebuild $HOSTNAME kernel."

echo "cd /usr/src"
cd /usr/src
echo "make buildkernel KERNCONF=$HOSTNAME"
make buildkernel KERNCONF=$HOSTNAME

echo "Done rebuilding $HOSTNAME kernel."

When I ran the script, here is some of what I saw:


Beginning to rebuild bourque kernel.
cd /usr/src
make buildkernel KERNCONF=bourque

>>> Kernel build for bourque started on Wed May 26 16:42:32 EDT 2004
===> bourque
mkdir -p /usr/obj/usr/src/sys
cd /usr/src/sys/i386/conf; PATH=/usr/obj/usr/src/i386/legacy/usr/sbin:/usr/obj/
/sbin:/bin:/usr/sbin:/usr/bin config -d /usr/obj/usr/src/sys/bourque
Kernel build directory is /usr/obj/usr/src/sys/bourque
Don't forget to do a ``make depend''
cd /usr/obj/usr/src/sys/bourque; MAKEOBJDIRPREFIX=/usr/obj

I ensured that neely was exporting its /usr directory via NFS with this /etc/exports file:

/usr -alldirs

Now I moved to bourque, where I created and ran this script:

# Source updater via master builder by Richard Bejtlich
# 1614 26 May 04

HOSTNAME=`/bin/hostname -s`
echo "Beginning to update $HOSTNAME."

echo "Mounting /usr/src and /usr/obj on neely"
mount_nfs -T neely:/usr/src /usr/src
mount_nfs -T neely:/usr/obj /usr/obj

echo "cd /usr/src"
cd /usr/src
echo "make installkernel KERNCONF=$HOSTNAME"
make installkernel KERNCONF=$HOSTNAME

echo "make installworld"
make installworld
echo "/usr/src/usr.sbin/mergemaster/"

echo "Done updating $HOSTNAME"

Here is some of what I saw when I ran the script:

bourque# ^M
Beginning to update bourque.
Mounting /usr/src and /usr/obj on neely
/dev/ad0s1a on / (ufs, local)
devfs on /dev (devfs, local)
/dev/ad0s1f on /home (ufs, local, soft-updates)
/dev/ad1s1d on /nsm (ufs, local, soft-updates)
/dev/ad0s1g on /tmp (ufs, local, soft-updates)
/dev/ad0s1d on /usr (ufs, local, soft-updates)
/dev/ad0s1e on /var (ufs, local, soft-updates)
/dev/ad3s1d on /var/db (ufs, local, soft-updates)
neely:/usr/src on /usr/src (nfs)
neely:/usr/obj on /usr/obj (nfs)
cd /usr/src
make installkernel KERNCONF=bourque
cd /usr/obj/usr/src/sys/bourque; MAKEOBJDIRPREFIX=/usr/obj MACHINE_ARCH=i386
MACHINE=i386 CPUTYPE= GROFF_BIN_PATH=/usr/obj/usr/src/i386/legacy/usr/bin GRO
FF_FONT_PATH=/usr/obj/usr/src/i386/legacy/usr/share/groff_font GROFF_TMAC_PATH=
/usr/obj/usr/src/i386/legacy/usr/share/tmac PATH=/usr/obj/usr/src/i386/legacy/us
/i386/usr/games:/sbin:/bin:/usr/sbin:/usr/bin make KERNEL=kernel install

When I was done I rebooted bourque, and then checked uname output:

bourque# uname -a
FreeBSD 5.2.1-RELEASE-p8 FreeBSD 5.2.1-RELEASE-p8 #1:
Wed May 26 16:42:32 EDT 2004
/usr/obj/usr/src/sys/bourque i386

I've started using this method on all of my FreeBSD machines with nonstandard kernels. Systems with GENERIC kernels can still track Colin Percival's freebsd-update.

Update: After speaking with Colin, I have another option that is a hybrid of building your own kernel and using Colin's updates of the userland.

Build the kernel you need for the remote system as shown above with the script. This creates a kernel for the remote machine. On the remote machine, run freebsd-update. If you have a GENERIC kernel on the remote machine, freebsd-update will update the kernel as well as the userland. Now install your kernel using this modified script:

# Source updater via master builder, kernel only by Richard Bejtlich
# 1445 4 Jun 04

HOSTNAME=`/bin/hostname -s`
echo "Beginning to update $HOSTNAME."

echo "Mounting /usr/src and /usr/obj on neely"
mount_nfs -T host_with_kernel:/usr/src /usr/src
mount_nfs -T host_with_kernel:/usr/obj /usr/obj

echo "cd /usr/src"
cd /usr/src
echo "make installkernel KERNCONF=$HOSTNAME"
make installkernel KERNCONF=$HOSTNAME

#No need to installworld when using freebsd-update
#echo "make installworld"
#make installworld
echo "/usr/src/usr.sbin/mergemaster/"

echo "Done updating $HOSTNAME"

Essentially the only change is not running 'make installworld'. The next time you run freebsd-update on the remote machine, freebsd-update will update userland and leave the new kernel alone.

Tuesday, May 25, 2004

Tom's Hardware on NICs

Tom's Hardware wrote a good article titled Gigabit Ethernet: On-Board Chips Reviewed. It explains the importance of high bandwidth PCI buses. I recommend reading it, but keep in mind the following feedback I sent the site:


I found your article "Gigabit Ethernet: On-Board Chips Reviewed" useful. I'm really glad to see someone authoritatively discuss NIC issues.

However, I think you use some throughput terms in odd ways. I believe a few changes could make it easier for the reader to appreciate your analysis.

For example, here you say "133 MB/s," presumably to mean 133 MegaBytes per second, for the bandwidth of a 32 bit 33 MHz PCI bus. That is correct. Farther down the same page, you mention "a 100 MBit interface," which I guess you mean 100 Megabits per second. Would it not be better to standardize on 133 MBps and 100 Mbps, respectively?

Just after that you say "2 GBit/s or 266 MBit/s". This is where you are mixing these terms and creating confusion. From the context the first term should be 2 Gigabits per second (2 Gbps) and the second should be 2 MegaBytes per second (266 MBps). I checked the Intel CSA document to confirm these values.

On the next page you write "The 100 MBit/s, 100BaseT-Ethernet standard offers a theoretical maximum data transfer rate of 12.5 MBytes/s (MB/s). In real world applications, the actual rate is usually 8 MB/s." I recommend this be changed to "The 100 Mbps, 100BaseT-Ethernet standard offers a theoretical maximum data transfer rate of 12.5 MBps. In real world applications, the actual rate is usually 8 MBps." I think other mentions of "MB/s" should similarly be replaced by "MBps" for clarity.

Thank you for your time,

Richard Bejtlich

Sunday, May 23, 2004

Upgrading Cisco Router IOS

Today I upgraded the flash and system RAM in my Cisco 2651XM router.

Before upgrading the router memory, I had this in place:

C2600 platform with 65536 Kbytes of main memory

16384K bytes of processor board System flash (Read/Write)

I bought 64 MB extra main memory and 16 MB extra flash memory. When I opened up the router, the insides looked like this diagram:

I had a single 64 MB DRAM DIMM in the "Primary memory" slot with one free. I had no memory in the "System-code SIMM (Flash memory)" slot, since the 2651XM must ship with 16 MB on the motherboard. Once I snapped in the extra memory, my router recognized it without any trouble, as will be seen later.

I also decided to upgrade from a 12.2 release to 12.3. My old IOS was 12.2(11)T10, which corresponded to the c2600-ik9s-mz.122-11.T10.bin image. The 'show flash' command showed this after the memory upgrades:

gill#sh flash

System flash directory:
File Length Name/status
1 14962584 c2600-ik9s-mz.122-11.T10.bin
[14962648 bytes used, 18591784 available, 33554432 total]
32768K bytes of processor board System flash (Read/Write)

First I searched for a suitable IOS from the Cisco IOS Feature Navigator and Upgrade Planner tools. I located a version of IOS which offered NetFlow and SSH v2 in the 12.3 train, 12.3(4)T4 (image c2600-a3jk9s-mz.123-4.T4.bin). I downloaded it to a TFTP server on the same network as the router, into the TFTP server's /tftpboot directory.

I did not make a copy of the existing router flash image as I already had it elsewhere for safekeeping.

Next I copied my startup-config to the TFTP server:

gill#copy startup-config tftp://
Address or name of remote host []?
Destination filename [gill-startup-config]?
2200 bytes copied in 0.072 secs (30556 bytes/sec)

Now I was ready to copy my new flash image to the router:

gill#copy tftp flash
Address or name of remote host []?
Source filename []? c2600-a3jk9s-mz.123-4.T4.bin
Destination filename [c2600-a3jk9s-mz.123-4.T4.bin]?
Accessing tftp://
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeee
Erase of flash: complete
Loading c2600-a3jk9s-mz.123-4.T4.bin from (via FastEthernet0/1):!!!!
[OK - 24299960 bytes]
Verifying checksum... OK (0x5193)
24299960 bytes copied in 182.832 secs (132909 bytes/sec)

Next I checked to see if it was loaded:

gill#sh flash

System flash directory:
File Length Name/status
1 24299960 c2600-a3jk9s-mz.123-4.T4.bin
[24300024 bytes used, 8730120 available, 33030144 total]
32768K bytes of processor board System flash (Read/Write)

This looked fine, so I changed the system boot parameters to use the new image, copied the running-config to startup-config, and reloaded the router:

gill#conf term
Enter configuration commands, one per line. End with CNTL/Z.
gill(config)#no boot system flash c2600-ik9s-mz.122-11.T10.bin
gill(config)#boot system flash c2600-a3jk9s-mz.123-4.T4.bin
01:21:28: %SYS-5-CONFIG_I: Configured from console by console
gill#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
Proceed with reload? [confirm]

01:22:32: %SYS-5-RELOAD: Reload requested by console.

I then watched the router come up:

System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE (fc1)
Copyright (c) 2002 by cisco Systems, Inc.
C2600 platform with 131072 Kbytes of main memory

program load complete, entry point: 0x80008000, size: 0x172c840
Self decompressing the image : ###########
############ [OK]

Smart Init is enabled
smart init is sizing iomem
00036F 0X00103980 C2651XM Dual Fast Ethernet
0X000F3BB0 public buffer pools
0X00211000 public particle pools
TOTAL: 0X00408530

If any of the above Memory Requirements are
"UNKNOWN", you may be using an unsupported
configuration or there is a software problem and
system operation may be compromised.
Rounded IOMEM up to: 5Mb.
Using 3 percent iomem. [5Mb/128Mb]
program load complete, entry point: 0x80008000, size: 0x172c840
Self decompressing the image : ###########
############ [OK]

Smart Init is enabled
smart init is sizing iomem
00036F 0X00103980 C2651XM Dual Fast Ethernet
0X000F3BB0 public buffer pools
0X00211000 public particle pools
TOTAL: 0X00408530

If any of the above Memory Requirements are
"UNKNOWN", you may be using an unsupported
configuration or there is a software problem and
system operation may be compromised.
Rounded IOMEM up to: 5Mb.
Using 3 percent iomem. [5Mb/128Mb]
Cisco IOS Software, C2600 Software (C2600-A3JK9S-M), Version 12.3(4)T4,
Technical Support:
Copyright (c) 1986-2004 by Cisco Systems, Inc.
Compiled Thu 11-Mar-04 19:57 by eaarmas
Image text-base: 0x80008098, data-base: 0x8243BC1C
Cisco 2651XM (MPC860P) processor (revision 0x100) with 125952K/5120K bytes of me
Processor board ID JAE071601DV (2514262155)
M860 processor: part number 5, mask 2
2 FastEthernet interfaces
32K bytes of NVRAM.
32768K bytes of processor board System flash (Read/Write)

Press RETURN to get started!

*Mar 1 00:00:04.695: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0,
changed state to up
*Mar 1 00:00:15.280: %LINK-3-UPDOWN: Interface FastEthernet0/0,
changed state to up
*Mar 1 00:00:15.280: %LINK-3-UPDOWN: Interface FastEthernet0/1,
changed state to up
00:00:16: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0,
changed state to up
00:00:16: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,
changed state to up
00:00:18: %SYS-5-CONFIG_I: Configured from memory by console
00:00:19: %SYS-5-RESTART: System restarted --

Cisco IOS Software, C2600 Software (C2600-A3JK9S-M), Version 12.3(4)T4, RELEASE
Technical Support:
Copyright (c) 1986-2004 by Cisco Systems, Inc.
Compiled Thu 11-Mar-04 19:57 by eaarmas
00:00:19: %SNMP-5-COLDSTART: SNMP agent on host gill is undergoing a cold start
00:00:19: %NTP-6-RESTART: NTP process starts
00:00:20: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0,
changed state to down
00:00:20: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,
changed state to down
00:00:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,
changed state to up
00:00:27: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address edited,
mask, hostname gill
00:00:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0,
changed state to up
00:00:33: %NTP-5-PEERSYNC: NTP synced to peer
00:00:33: %NTP-6-PEERREACH: Peer is reachable

Everything looks fine, including the time setting via NTP. I also looked again at the flash and then the filesystem:

gill#sh flash detailed

System flash directory:
File Length Name/status
addr fcksum ccksum
1 24299960 c2600-a3jk9s-mz.123-4.T4.bin
0x40 0x5193 0x5193
[24300024 bytes used, 8730120 available, 33030144 total]
32768K bytes of processor board System flash (Read/Write)
gill#show file systems
File Systems:

Size(b) Free(b) Type Flags Prefixes
- - opaque rw system:
29688 26383 nvram rw nvram:
- - opaque rw null:
- - opaque ro xmodem:
- - opaque ro ymodem:
- - network rw tftp:
* 33030144 8730120 flash rw flash:
- - network rw pram:
- - network rw rcp:
- - network rw scp:
- - network ro http:
- - network rw ftp:
- - network ro https:
- - opaque ro cns:

My upgrade was complete!

Friday, May 21, 2004

Thoughts on High Speed Network Monitoring

I've been following an interesting thread on snort-users about collecting alert data on high speed networks. Users are debating how much traffic Snort can handle. One way to at least start answering this questions is to enable the performance monitor. Vjay Larosa's post was helpful, as it pointed me towards perfmon-graph. This Perl script works with Snort performance monitor output and RRDtool output to produce graphs of Snort performance statistics.

Using perfmon-graph requires two steps. First, enable Snort to output the statistics you need to a text file. Add the following line to your snort.conf file:

preprocessor perfmonitor: time 60 file /nsm/snort/perfmon.txt pktcnt 500

This tells Snort to output statistics every 60 seconds to a file called /nsm/snort/perfmon.txt The perfmon-graph README warns us not to set the number following 'pktcnt' too high. For example, if 500 packets are not collected in 60 seconds, then we will not get a statistics output.

After restarting Snort with this new preprocessor, your perfmon.txt file will begin collecting entries like these:

bourque# tail -f /nsm/snort/perfmon.txt

Next decide where to run perfmon-graph and RRDtool. I chose to deploy both on a system other than the sensor running Snort, called janney. On FreeBSD use the /usr/ports/net/rrdtool port to install RRDtool. When running perfmon-graph I got an error about a missing tie/ file, which I learned ships with /usr/ports/devel/p5-Tie-File.

To set up perfmon-graph itself, download and extract it to a convenient directory. I chose to follow the perfmon-graph author's suggestion to use SSH to periodically copy the perfmon.txt file to the system running perfmon-graph. I made the following entry in my crontab to do this:

0,5,10,15,20,25,30,35,40,45,50,55 * * * * ssh worker@bourque
"cat /nsm/snort/perfmon.txt" | /usr/local/bin/perl
/usr/local/www/data/perfmon-graph/bourque/ -

This setup relies on user worker being able to SSH from janney to my sensor, bourque, using public key authentication. I'm using on FreeBSD 4.9 STABLE, which had an old version of Perl installed (5.005_03). I installed a newer version using the latest package (5.6.1), and executed 'use.perl port' to make it the default. (I can revert to the base with use.perl system.)

Once this is working, a set of files will appear in /usr/local/www/data/perfmon-graph/bourque. You may recognize this as a likely place where Apache could serve up Web pages, and that is the case here. A visit presents graphs like that above, which shows Snort's perception of bandwidth monitoring in Mbps.

The accuracy and value of these statistics are debatable, but they are at least a start.

In addition to setting up performance monitoring, I learned of a great source of information on high speed monitoring issues through this post. It led me to SCAMPI, "A Scaleable Monitoring Platform for the Internet." Their publications page lists many interesting papers with advice and research regarding monitoring high bandwidth networks. The SCAMPI project has the goal of monitoring traffic at 10 to 100 Gbps.

Finally, Brian Caswell posted details on a massive rule update designed to improve Snort performance. He directs interested readers to the updated section of the Snort manual.

Tuesday, May 18, 2004

Installing Open Source Software on AIX

Last year I wrote about installing open source software on two commercial UNIXes, Solaris and HP-UX. Today I want to document how to install a few software packages on another commercial UNIX -- AIX.

First, I needed to get the ever popular wget onto the AIX 5.1 box to make retrieval of other software easier. I retrieved a wget package from UCLA's Public Domain Software Library for AIX using ftp. I then followed their instructions to extract and install the binary package:

# zcat wget.1.9.1.tar.Z | (cd /; tar xvpf -)
x ./usr/local/bin/wget, 619059 bytes, 1210 media blocks.
x ./usr/local/info/, 2576 bytes, 6 media blocks.
x ./usr/local/info/, 45301 bytes, 89 media blocks.
x ./usr/local/info/, 50448 bytes, 99 media blocks.
x ./usr/local/info/, 44699 bytes, 88 media blocks.
x ./usr/local/info/, 30878 bytes, 61 media blocks.
x ./usr/local/man/man1/wget.1, 58351 bytes, 114 media blocks.

That's it. Now I have /usr/local/bin/wget at my disposal.

Now I needed OpenSSH. I used the packages at Darren Tucker's OpenSSH Page. Unfortunately, as I was downloading the package I needed, I ran out of disk space. This was a result of doing a default install of AIX 5.1 and not understanding how their filesystems work. After deleting the interrupted package, my df output looked like this:

# df -k
Filesystem 1024-blocks Free %Used Iused %Iused Mounted on
/dev/hd4 16384 9744 41% 1092 14% /
/dev/hd2 524288 4816 100% 19067 15% /usr
/dev/hd9var 16384 11676 29% 300 8% /var
/dev/hd3 32768 31648 4% 30 1% /tmp
/dev/hd1 16384 15820 4% 21 1% /home
/proc - - - - - /proc
/dev/hd10opt 32768 26372 20% 290 4% /opt

I learned enough about the AIX filesystem via this thread to run 'smit chfs' and make the changes I needed to extend the /usr filesystem. Within smit I selected "Change / Show Characteristics of a Journaled File System" and then selected /usr. Smit reported /usr looked like this:

SIZE of file system (in 512-byte blocks) 1048576

I changed that value to be ten times bigger and commited the change. When done, df showed this output:

# df -k
Filesystem 1024-blocks Free %Used Iused %Iused Mounted on
/dev/hd4 16384 9744 41% 1092 14% /
/dev/hd2 5242880 4575296 13% 19067 2% /usr
/dev/hd9var 16384 11676 29% 300 8% /var
/dev/hd3 32768 31648 4% 30 1% /tmp
/dev/hd1 16384 15820 4% 21 1% /home
/proc - - - - - /proc
/dev/hd10opt 32768 26372 20% 290 4% /opt

That was better. After downloading the OpenSSH package, I unzipped and untarred it:

gunzip -d openssh-3.8p1-bff.tar.gz
tar -xvf openssh-3.8p1-bff.tar

Thanks to the AIX documentation and a helpful doc for VNC, I knew I needed to use 'installp' to install the package:

installp -a -X -d openssh-3.8p1.bff all

Pre-installation Verification...
Verifying selections...done
Verifying requisites...done

Filesets listed in this section passed pre-installation verification
and will be installed.

Selected Filesets
openssh # OpenSSH 3.8p1 Portable for AIX

<< End of Success Section >>
1 Selected to be installed, of which:
1 Passed pre-installation verification
1 Total to be installed

Installing Software...

installp: APPLYING software for:

. . . . . << Copyright notice for openssh >> . . . . . . .
This software is distributed under a BSD-style license.
For the full text of the license, see /usr/lpp/openssh/LICENCE
. . . . . << End of copyright notice for openssh >>. . . .

Creating configs from defaults if necessary.
Creating ssh_config from default
Creating sshd_config from default
Creating ssh_prng_cmds from default
Creating PrivSep prereqs if required.
UsePrivilegeSeparation enabled in config (or defaulting to on).
Creating PrivSep group sshd.
Creating PrivSep user sshd.
PrivSep chroot directory /var/empty already exists.

Creating host keys if required.
Generating public/private rsa1 key pair.
Your identification has been saved in /usr/local/etc/ssh_host_key.
Your public key has been saved in /usr/local/etc/
The key fingerprint is:
d5:bd:25:53:da:48:6a:b9:5a:83:b1:92:b4:9b:b0:cd root@murray
Generating public/private dsa key pair.
Your identification has been saved in /usr/local/etc/ssh_host_dsa_key.
Your public key has been saved in /usr/local/etc/
The key fingerprint is:
e3:98:e7:ae:ba:53:82:b9:eb:76:51:e3:f2:d9:69:5a root@murray
Generating public/private rsa key pair.
Your identification has been saved in /usr/local/etc/ssh_host_rsa_key.
Your public key has been saved in /usr/local/etc/
The key fingerprint is:
48:11:50:a7:55:70:7d:84:3c:c6:db:9b:c2:95:b1:bc root@murray

Creating SRC sshd subsystem.
0513-071 The sshd Subsystem has been added.
Adding sshd to rc.tcpip
Finished processing all filesets. (Total time: 15 secs).


Installation Summary
Name Level Part Event Result

When done, I had /usr/local/bin/ssh and /usr/local/sbin/sshd at my disposal. Once I started sshd, other systems were able to connect to the box.

Monday, May 17, 2004

Incident Handling (INCH) IETF Working Group

This weekend at BSDCan Michael Richardson mentioned a security-oriented IETF working group I'd never heard of before. It's called Incident Handling and its purpose is "to define a data format for exchanging security incident information used by a CSIRT." Also:

"The working group has created four documents. A data model named the Incident Object Description Exchange Format (IODEF), and an associated implementation in an XML DTD, is the format defined for exchanging incident data. The IODEF conforms to a set of requirements for a Format for INcident Report Exchange (FINE). Additionally, guidelines for implementors are provided."

Although the official working group site links to the project schedule and the documents they've written, working group chair Roman Danyliw's unoffical site is informative too. (Yes, that's the same Roman who developed ACID.) The INCH mailing list archive shows plenty of recent activity. This is a nice departure from the archive for the Intrusion Detection Exchange Format working group.

Michael Boman Posts IDS, Snort, and Sguil Presentations

Sguil developer Michael Boman gave four presentations to the Linux Users Group Singapore this month. They discuss IDS, Snort, ACID, and Sguil. I recommend perusing them at

These presentations are viewable online and are a good introduction for people trying to understand IDS from the ground up. I found the Snort presentation helpful for its concise Snort development timeline.

Great News from Mar-Apr 04 FreeBSD Status Report

freebsd.png" align=left>The Mar-Apr 04 FreeBSD Status Report brings many glad tidings. The best in my opinion is word of a new version of Kirk McKusick's classic, called The Design and Implementation of the FreeBSD Operating System (here's the link). It doesn't get any better than this, folks. Kirk wrote the definitive BSD book, The Design and Implementation of the 4.4 BSD Operating System, in 1996. This long-awaited update is "based on FreeBSD 5.2 and the upcoming FreeBSD 5.3 releases... It is now in final production by Addison-Wesley and will be available in early August 2004. The ISBN is 0-201-70245-2." I can't wait for this one.

The report also mentioned availability of packages for FreeBSD and updates on the TrustedBSD Security-Enhanced BSD (SEBSD) project. I missed Robert Watson's talk at due to attending Michael Richardson's libpcap 1.0 discussion. There are several papers on TrustedBSD and SEBSD available, however.

Sunday, May 16, 2004

Thoughts on Cisco IOS

Yesterday I mentioned the report of the theft of Cisco's IOS. While I have no evidence to support this theory, I always assumed that various nefarious parties already had access to some or all of Cisco's previous IOS versions. While access to source code is not necessary to discover vulnerabilities, the allure of obtaining such a prize (for intellectual and competitive intelligence pursuits) made theft a likely scenario. The February report of the theft of Microsoft's source surely did not represent the first time unsavory parties had access to that intellectual property, either.

What does this event mean for Cisco? I found several excellent articles which gave me food for thought. First, last month reported that Cisco will release a new version of IOS on a new product this summer. This new device, the Huge Faster Router (HFR), is designed to compete with Juniper's core routing product, the T640 (Juniper gear pictured below). The new version of IOS will initially only run on the HFR, but it is expected to eventually migrate down the Cisco product line to the edge networking devices.
Unfortunately for Cisco, the first version of the HFR seems hobbled from the start. It's 23" wide, 4" too wide for the standard telecom rack. According to, IPv6 support is incomplete, degrading purchase propositions from the US DoD. Juniper already won the contract for the Global Information Grid Bandwidth Expansion (GIG-BE). MPLS may also not be fully supported.

On the positive side, reports the new IOS will be more modular. Upgrading IOS may not require taking the device out of service. Certain rumors indicate that IOS might be replaced by the real-time operating system QNX. Just last week QNX Software Systems issued a press release describing how their "QNX Neutrino realtime operating system (RTOS) will be shipping as part of the Cisco uMG9850 QAM Module, a new quadrature amplitude modulation product designed to let cable operators use Gigabit Ethernet to deliver video-on-demand."
Meanwhile, another open source router project is paving the way for alternatives for routing at the network edge. XORP, the eXtensible Open Router Platform, plans to release a live CD once the product is released (soon). XORP is developed on Linux and FreeBSD, and reported on the project last month.
Last from the world of Cisco, two new books from Cisco Press look to be excellent reads for network security architects. Sean Convery, who has a new paper on IPv4 and IPv6 threats, just published Network Security Architectures. Mauricio Arregoces and Maurizio Portolani also just published Data Center Fundamentals. When I read both (almost 2000 pages -- give me a few months) I'll review them at
Update: Cisco announced their new Carrier Routing System on 24 May 04. According to this article, the new 92 Tbps router runs on top of QNX:

"IOS XR helps Cisco catch up in areas such as hot upgrades of software and separation of control, data, and management planes. The software is based on a kernel licensed from QNX Software Systems, but tailored for the job. 'We have made some pretty substantial modifications to [the QNX code] that are Cisco proprietary,' Volpi says."


"The CRS-1 truly is huge and fast, with a capacity of 640 Gbit/s in a 7-foot rack. It scales to 72 shelves rather than the 18 reported by sources, for an unreal 46 Tbit/s maximum capacity, or 1,152 OC768 ports. (Cisco reports this as 92 Tbit/s, using its usual convention of counting ingress and egress capacity separately.)"

Disabling Vulnerability Checks with Portaudit

Last month I described the security/portaudit tool, which checks for vulnerable ports and prevents their installation. Sometimes it's reasonable to install a port that has a vulnerability, if the risk is acceptable. For example, the databases/mysql-client port currently reports a security problem when I try to install it:

neely:/usr/ports/databases/mysql40-client$ make
===> mysql-client-4.0.18_1 has known vulnerabilities:
>> MySQL insecure temporary file creation (mysqlbug).

>> Please update your ports tree and try again.

This is a minor problem affecting only the 'mysqlbug' script, not core mysql client functionality. We may not see a fix in the MySQL distribution until 4.0.19.

Thanks to Michael Nottebrock, I learned how to install a port with a vulnerability:

neely:/usr/ports/databases/mysql40-client$ make -DDISABLE_VULNERABILITIES
===> Vulnerability check disabled
>> mysql-4.0.18.tar.gz doesn't seem to exist in /usr/ports/distfiles/.


Saturday, May 15, 2004

Cisco Source Code Publicly Reported as Stolen

I first read this on the NANOG list, but it appears to have been broken by BugTraq. According to this translation of the original Russian story:

"As it became known to SecurityLab, the source code of operating system
CISCO IOS 12.3, 12.3t, which is used in the majority of Cisco network
devices has been stolen on May 13, 2004. The total volume of the stolen
information represents about 800MB in an archive file."

The Russian site shows "ipv6_discovery_test.c -- Neighbor Discovery unit tests" and "ipv6_tcp.c -- IP version 6 support functions for TCP" as some sample code.

Update: This was my 500th Blog post.

Live from BSDCan Day Two

Day two of the first ever BSDCan is over. This concludes the conference, which we believe was a great success. Dan Langille reported over 175 attendees and is making plans for a second conference next year.

I started the day with Michael Richardson discussing libpcap 1.0. Michael described how the current libpcap file format, major version 2 minor version 4, will eventually become major version 3. The current format presents a header (pcap_file_header) for every trace file as well as per-packet headers (currently pcap_pkthdr), making it difficult to concatenate two separate trace files. The proposed new version eliminates this header and uses more per-packet headers to facilitate mixing packets from various sources into a single trace file. Compare pcap.h and pcap1.h to get a sense of what he means.

Besides the new header Michael discussed, he also presented a two year old alternative format with its own issues. I also learned to pay attention to the savefile.c file, which describes linktypes.

Michael described his work with netdissect, a library of protocol printers for Tcpdump. Michael mentions it in posts to tcpdump-workers here and here. This is part of an effort to modularize Tcpdump. It will eventually provide options for sending Tcpdump output to places other than the screen. In the future, Tcpdump could be separated into a privilege separated version (different from the existing OpenBSD implementation) where one program uses the kernel and BPF to get traffic, which is passed to a lower-privilege dissector program.
Next I attended FreeBSD Core Team member Wes Peters' talk. He discussed how his company St. Bernard Software builds dependable appliances using FreeBSD. I thought his talk was interesting, but his decision to post the text of his presentation on the screen was not very clever. He said that 14 people have been killed as a result of PowerPoint-like presentations, a claim alluded to elsewhere and discussed in a recent issue of Software Development magazine. That doesn't mean it makes sense to post pages of text in paragraph form, and then stare at them looking for the point one needs to make while standing in front of a crowd. The key to using PowerPoint or slides in general is to present key points, and not get bogged down in descending levels of detail where critical issues are buried from view.

One of the practical points I took from Wes' talk was advice to avoid flash disks in favor of hard drives. If flash must be used, Wes had praise for SanDisk and Lexar Media. He also claimed Samba 2.2.x is poor when transferring large (> 1 GB) files and 3.x isn't much better.

Wes said his appliances keep three images on disk, one as primary, one as backup, and one as a read-only failsafe/panic boot partition. His solution makes extensive uses of vnodes and stores configuration files in a PostgreSQL database. The appliance operates in degraded mode when something fails, offering enough information to perform troubleshooting.

His appliance does IP configuration by listening for a packet sent by an administrative console application using a source IP owned by St. Bernard. Connecting to the device's serial port launches a configuration wizard, not a shell. Only through working with St. Bernard tech support could one access a console of any kind.

Their product makes three sorts of updates: (1) subscriptions update application data changes; (2) patches update application bugs and security flaws; and (3) releases upgrade the entire system image, including the kernel. To retrieve updates, the appliances poll servers owned by St. Bernard on a daily basis.
Ryan McBride from the OpenBSD team gave the next talk I attended. He discussed Pf, the OpenBSD packet filter. He gave a nifty demo of firewall failover with Pfsync and CARP. A cool aspect of CARP (Common Address Redundancy Protocol) is its ability to work on devices other than firewalls. During the talk, Theo said a university using CARP to offer Samba via four servers. Ryan and Theo mentioned spamd, a sort of La Brea Tarpit to catch spammers.

Speaking of Theo, he gave the last talk I attended. It was an updated version of the exploit mitigation presented he gave at CanSecWest last month. His comment about Microsoft's adoption of a ProPolice-like system in Windows is flawed. Instead of setting the canary used to protect the stack at run-time, Microsoft computed the canary at compile-time. This means every copy of the same application has the same canary, making life easier for intruders. In Theo's words: "They completely missed the point!" Theo also commented that it's a bad idea to have a single 'nobody' user for multiple jailed processes. It's much better to give each jailed process its own unprivileged user, like _tcpdump, _apache, and so forth. That way, an intruder can't use ptrace between jails running under the same user ID and string together the means to escape.
Overall, I thought the conference was excellent. I intend to return next year. I paid for the affair myself and I feel I got my money's worth. I got to meet some really interesting people, including BSD Hacks author Dru Lavigne. Too bad Michael Lucas was absent -- I'm waiting for his book on NetBSD and Cisco Routers for the Desperate.

Over the course of the weekend, several people spoke to me about Sguil and monitoring in general. A few had questions about how to conduct monitoring when asymmetric routing is used. Asymmetric routing typically involves traffic being sent over one interface and route and returned over a different interface and route. There are two ways this seems to be used. First, at the client side, one might have a downlink served by a satellite feed with a phone line used for an uplink. Not only are such routes asymmetric, the latency and bandwidth is asymmetric too. This causes all sorts of problems for TCP, which generally assumes similar link performance for inbound and outbound traffic. A 1997 paper and slides explain the problems with such setups. Another paper can be found here.

Second, at the server side, one might have a server connected to two or more links for redundancy and performance issues. While one of the links may be a primary and hence have better performance, links of equal capability are often used.

For monitoring issues, administrators are more concerned with the second scenario at the server side. Some vendors, like Top Layer, sell products to bring the traffic together for monitoring purposes. Some also advocate per-flow rather than per-packet balancing on routing gear, if possible. I think there must be an open source solution to this, perhaps involving bridging promiscious interfaces and creating a virtual interface to monitor.

These issues were debated on snort-users and NANOG in March. Linux Journal also debated techniques to handle this problem in April.

Friday, May 14, 2004

Live from BSDCan

Day one of BSDCan today was great. I first attended Network Buffer Allocation in the FreeBSD Operating System by Bosko Milekic. He gave an overview of changes made in FreeBSD 5.x to improve TCP/IP performance, especially on SMP systems. I then heard conference organizer Dan Langille discuss Bacula, a backup solution I intend to try.

After lunch I presented Network Security Monitoring with Sguil, which was fun. The last formal talk I saw was by Poul-Henning Kamp. He described GEOM-based Disk Encryption. Browsing the freebsd-current mailing list, I found a thread discussing novel ways to use GEOM and GBDE called ggate or GEOM gate. Check it out in src/sbin/ggate. The thread discusses using ggate to encrypt a floppy.

I also spent some time in a BoF on IPSec and learned about isakmpd, an alternative to racoon for managing IPSec keys. It's in security/isakmpd too.
Wednesday I reported the publication of an exploit for the FTP service used by the Sasser worm. Now there's a new worm called Dabber exploiting the same vulnerability in Sasser's FTP service. Read each link for LURHQ's analysis of each worm.

If you've been seeing increased scans to ports 9898 and 5554 TCP, you'll know why after reading the advisories. Port 5554 TCP is the Sasser FTP server. Port 9898 is the Dabber back door.

Thursday, May 13, 2004

Windows Roadmap Article

I found this article to be a good summary of future Microsoft OS release plans. The key points I noted are:

  • Microsoft is adopting a "4 year release schedule for Windows Server then that would place Windows Server Longhorn in 2007 (4 years from Server 2003)"

  • "[W]e'll be seeing Windows Client Longhorn in 2006"

  • "Microsoft will release an update every 2 years after an initial major release which refreshes the Operating System with add-ons, security fixes and new features. The next planned update is for Windows Server 2003 which is due to be released in 2005 and currently code-named R2." Posts Page for My Book

A visit to reveals a page for my book. reports the publication date as 14 July 2004. This is a little earlier than I expected, but everything remains on schedule. Perhaps my publisher built in a little time for problems, and thankfully we haven't had any major difficulties yet. You may notice the cover is similar to Secure Architectures with OpenBSD and the second edition of Know Your Enemy. All three books are part of Addison-Wesley's new lineup of security books.

Wednesday, May 12, 2004

Working with Debian Again

I'm taking another look at Debian, as I may need to run some software tied to Linux firewalling software not found on FreeBSD.

I took advantage of a few good articles, including Introduction to Debian Software Package Management, the Apt How-To, Apt-Pinning for Beginners, and Using APT with more than 2 sources. Following their advice I created an
/etc/apt/sources.list like this:

deb stable main non-free contrib
deb stable/non-US main contrib non-free

deb testing main non-free contrib
deb testing/non-US main contrib non-free

deb unstable main non-free contrib
deb unstable/non-US main contrib non-free

deb stable/updates main contrib non-free

I created an /etc/apt/apt.conf file to address some memory problems I'd encountered earlier:

APT::Cache-Limit "8388608";

I then ran these commands to update my system, a Pentium 90 running Debian 3.0r2:

apt-get update
apt-get upgrade

These updated my system to a certain state, but I then ran another command to go farther:

apt-get dist-upgrade

When I was done, I tried installing 'sudo' using apt-get:

oates:~# apt-get install sudo
Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 146kB of archives.
After unpacking 365kB of additional disk space will be used.
Get:1 testing/main sudo 1.6.7p5-1 [146kB]
Fetched 146kB in 0s (158kB/s)
Selecting previously deselected package sudo.
(Reading database ... 8768 files and directories currently installed.)
Unpacking sudo (from .../sudo_1.6.7p5-1_i386.deb) ...
^TSetting up sudo (1.6.7p5-1) ...
No /etc/sudoers found... creating one for you.

This installed the version of sudo in the Debian testing distribution. You can see the appropriate package here.

Testing, also known as 'sarge,' is a middleground between stable (aka 'woody') and unstable (aka 'sid'). There are packages for each of those as well. The stable package offers sudo 1.6.6-1.1, while the unstable package, 1.6.7p5-1, matches that installed by testing.

I'll report more as I learn more about Debian.

Alleged Exploit for Sasser FTP Server Released

We've heard of intruders exploiting systems already infected by worms, but this is another way to take advantage of poorly deployed systems. A Romanian coder released sasserftpd.c recently. This code attacks the FTP server used by Sasser to propogate. The rogue Sasser FTP server listens on port 5554 TCP on versions a through d and port 1023 TCP on version e. The Romanian exploit attacks this FTP server.

Speaking at Friday

Dan Langille just added me to the schedule at BSDCan, the first BSD Canada conference. I'll be presenting Network Security Monitoring with Sguil on Friday at 2 pm. I plan to discuss many short case studies on using Sguil to detect and validate security incidents, followed by a short live demo of Sguil on FreeBSD. Come by and say hello!

Usability Tips for UNIX

I want to note a couple of helpful hints I stumbled across. First, I learned something new about the xterm program. I run FreeBSD on many systems and start X manually with 'startx'. One system has Windowmaker for a window manager. When I launch an xterm, the new instance doesn't read .profile. This means the prompt stays with the default, rather than changing to suit my needs. For example, my .profile has this entry to change the prompt:

PS1='`hostname -s`:$PWD$ '

This creates a prompt like this:


Unfortunately, prior to today I manually sourced the .profile to change the prompt, using '. .profile' in the user's home directory.

While perusing this Unix for Advanced Users guide, I came across this article: Is my .login or .profile being used?. It explained that I needed to start xterm with the '-ls' option to specify it running as a login shell. In that case it will read the user's .profile. Here is the menu command I use to start xterm:

xterm -ls -sb -rv -fg green -fn 9x15bold -geometry 80x24

The -sb creates a scroll bar; -rv specifies reverse video; -fg makes text green; -fn specifies the font; and -geometry sets the window size.

I also want to make note of a file that I use to set a resolution of 100x100 when X starts. My .xserverrc file looks like this:

exec /usr/X11R6/bin/X -dpi 100 -nolisten tcp

I can confirm this with xdpyinfo:

resolution: 100x100 dots per inch

A final usability issue involves batteries and FreeBSD laptops. This post to freebsd-mobile is part of a thread discussing differences between suspending and hibernating a laptop. I'm able to have my laptop suspend, thanks to the BIOS I believe. Read the posts for more information if interested.

Tuesday, May 11, 2004

Blastwave: Open Source Solaris Package Management System

I was looking to upgrade a few packages installed from when I stumbled upon is a "community software" (CSW) site which emulates the Debian apt-get system for installing Solaris packages.

Once you install the pkg-get package, you can install Solaris software as easily as this:

pkg-get install mutt

Pkg-get installs the dependencies and the desired package. The executable's home is /opt/csw/bin, unlike /usr/local/bin for packages installed from

Here is a comparison of how mutt, from, and OpenSSH, from Sunfreeware, appear to pkginfo:

bash-2.03$ pkginfo | grep mutt
system CSWmutt mutt - Command line email reader with IMAP and SSL support
bash-2.03$ pkginfo | grep ssh
application SMCossh openssh

Perusing the mailing list archive, it seems users are enthusiastic. I hope this project continues to improve and update its package selection.

Keep in mind that software installed from Sunfreeware is ignored by For example, installing mutt resulted in a second installation of OpenSSL:

bash-2.03$ pkginfo | grep ssh
application SMCossh openssh
bash-2.03$ pkginfo | grep ssl
system CSWossl openssl - OpenSSL Secure Sockets Layer lib and utilities
application SMCossl openssl

Discussion of IPv6 Options on BSD

I'm interested in experimenting with IPv6 at some point. Since most of the operating systems I use in my lab have IPv6 stacks, I plan to run a native IPv6 VLAN internally. I'm also interested in connectivity to other IPv6-enabled sites.

This OpenBSD Journal article offers a few options for people wanting to use IPv6 across the IPv4 Internet. I plan to try one of these solutions and post my results here in the future.

Monday, May 10, 2004

Carter Bullard Releases Argus 2.0.6

Normally a change from a 2.0.5 to 2.0.6 release wouldn't be big news. That's not the case with Argus, however. 2.0.6 has been about a year in the making. Argus is the world's longest living open source session data collection program. It runs on most any UNIX distribution and appears in my book. Give it a try!

Thursday, May 06, 2004 Moves to Niuhi

Visitors to will notice they are no longer redirected to I've started hosting at, co-operated by a fellow security consultant. This move should only have positive effects. If you bookmarked the old Comcast site, please use

Tuesday, May 04, 2004

Upgrading Ruby

This morning when checking for updated applications I saw that lang/ruby18 was updated recently:

drury:# portversion -v | grep ruby
ruby-1.8.1_2 < needs updating (port has
ruby18-bdb1-0.2.2 = up-to-date with port

I remembered what trouble we had with Ruby and Portupgrade a few months ago, so I used Portupgrade to upgrade Ruby by itself:

drury# portupgrade -v ruby^M
---> Session started at: Tue, 04 May 2004 12:16:17 -0400
---> Upgrade of lang/ruby18 started at: Tue, 04 May 2004 12:16:19 -0400
---> Upgrading 'ruby-1.8.1_2' to 'ruby-' (lang/ruby18)
---> Build of lang/ruby18 started at: Tue, 04 May 2004 12:16:19 -0400
---> Building '/usr/ports/lang/ruby18'
>> ruby-1.8.1-2004.05.02.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/ruby.
>> Attempting to fetch from
Receiving ruby-1.8.1-2004.05.02.tar.bz2 (2395420 bytes):
===> Cleaning for ruby-
---> Removing the temporary backup files
---> Installation of lang/ruby18 ended at: Tue, 04 May 2004 12:18:19 -0400 (con
sumed 00:00:07)
---> Cleaning out obsolete shared libraries
[Updating the pkgdb in /var/db/pkg ... - 159 packages found
(-0 +1) . done]
---> Upgrade of lang/ruby18 ended at: Tue, 04 May 2004 12:18:19 -0400 (consumed
---> Listing the results (+:done / -:ignored / *:skipped / !:failed)
+ lang/ruby18 (ruby-1.8.1_2)
---> Packages processed: 1 done, 0 ignored, 0 skipped and 0 failed
---> Session ended at: Tue, 04 May 2004 12:18:20 -0400 (consumed 00:02:02)

Ruby was updated and now I plan to use Portupgrade to update the rest of my ports.

Monday, May 03, 2004

Review of Network Security Assessment Posted just published my four star review of Network Security Assessment. From the review:

"Network Security Assessment (NSA) is the latest in a long line of vulnerability assessment / penetration testing books, stretching back to Maximum Security in 1997 and Hacking Exposed shortly thereafter. NSA is also the second major security title from O'Reilly this year, soon to be followed by Network Security Hacks. NSA is a good book with some new material to offer, but don't expect to find deep security insight in this or similar assessment books.

NSA begins with the almost obligatory reference to the king of assessment books, Hacking Exposed (HE), saying 'I leave listings of obscure techniques to behemoth 800-page "hacking" books.' I don't think some of the techniques covered in HE but not NSA are "obscure." Noticably lacking in NSA is coverage of dial-up techniques, wireless insecurities, Novell vulnerabilities, and attacking clients rather than servers. Should NSA receive a second edition, I expect to see the book expand closer to the 'behemoth' it seems to deride."

Saturday, May 01, 2004

Review of Ethereal Packet Sniffing Posted just posted my five star review of Ethereal Packet Sniffing. From the review:

"Ethereal Packet Sniffing is the first book in Jay Beale's new Open Source Security Series with Syngress. It's a great book to lead the way. Ethereal is full of helpful tips and clear discussions that benefit newbies and wizards alike.

I've been using Ethereal for around five years, and this book still taught me a few new tricks. The key to the new material is Ethereal's development, from 0.2 in July 1998 to 0.10.3 this year. (The book covers 0.10.0 which is far from being outdated.) The many improvements lend themselves to the sort of explanations found in Ethereal. For example, my favorite material involved filters. Although chs. 4 and 5 had minor overlap regarding this feature, I learned new ways to manipulate Ethereal's packet search and display capabilities."

Fixing Another Problem with Ports

Today while using portupgrade to update my ports tree, I ran into this problem. The process was trying to upgrade OpenMortal when it died:

---> Uninstallation of openmortal-0.6 ended at: Sat, 01 May 2004 18:26:13 -0400
(consumed 00:02:22)
---> Upgrade of games/openmortal ended at: Sat, 01 May 2004 18:26:13 -0400 (con
sumed 00:02:28)
[Updating the pkgdb in /var/db/pkg ... - 258 packages found
(-1 +0) (...)ruby18 in malloc(): error: allocation failed
Abort (core dumped)

That didn't look good. I tried this and got similar results:

orr:/root# portversion -v
[Updating the pkgdb in /var/db/pkg ... - 258 packages found
(-1 +0) (...)ruby18 in malloc(): error: allocation failed
Abort (core dumped)

At this point I decided to try rebuilding the package database:

orr:/var/db/pkg# mv pkgdb.db pkgdb.db.broken
orr:/var/db/pkg# pkgdb -F
---> Checking the package registry database
[Rebuilding the pkgdb in /var/db/pkg ... - 258 packages foun
d (-0 +258) ....................................................................
.............................. done]

Now everything works, although OpenMortal is no longer installed. I reinstalled it from /usr/ports/packages/All, which is a NFS mount to my package builder:

orr:/root# cd /usr/ports/packages/All
orr:/usr/ports/packages/All# pkg_add -v openmortal-0.7.tbz
Requested space: 205905528 bytes, free space: 2372941824 bytes in /var/tmp/instmp.RTmsXw

Packet Description Markup Language

While reviewing a new book on Ethereal, I learned about the Packet Details Markup Language (PDML). PDML is a way to express a packet in XML format. For example, here is an ICMP echo request:

tethereal -n -r snort.log.1082637820 -T pdml icmp

<?xml version="1.0"?>
<pdml version="0" creator="ethereal/0.10.3">
<proto name="geninfo" pos="0" showname="General information" size="60">
<field name="num" pos="0" show="1" showname="Number" value="1" size="60"/>
<field name="len" pos="0" show="60" showname="Packet Length" value="3c" size="60"/>
<field name="caplen" pos="0" show="60" showname="Captured Length" value="3c" size="60"/>
<field name="timestamp" pos="0" show="Apr 22, 2004 08:47:14.358334000" showname="Captured Time" value="1082638034.358334000" size="60"/>
<proto name="frame" showname="Frame 1 (60 bytes on wire, 60 bytes captured)" size="60" pos="0">
<field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
<field name="frame.time" showname="Arrival Time: Apr 22, 2004 08:47:14.358334000" size="0" pos="0" show="Apr 22, 2004 08:47:14.358334000"/>
<field name="frame.time_delta" showname="Time delta from previous packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
<field name="frame.time_relative" showname="Time since reference or first frame: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
<field name="frame.number" showname="Frame Number: 1" size="0" pos="0" show="1"/>
<field name="frame.pkt_len" showname="Packet Length: 60 bytes" size="0" pos="0" show="60"/>
<field name="frame.cap_len" showname="Capture Length: 60 bytes" size="0" pos="0" show="60"/>
<proto name="eth" showname="Ethernet II, Src: 00:00:d1:ec:f5:8e, Dst: 00:03:47:75:18:20" size="14" pos="0">
<field name="eth.dst" showname="Destination: 00:03:47:75:18:20 (00:03:47:75:18:20)" size="6" pos="0" show="00:03:47:75:18:20" value="000347751820"/>
<field name="eth.src" showname="Source: 00:00:d1:ec:f5:8e (00:00:d1:ec:f5:8e)" size="6" pos="6" show="00:00:d1:ec:f5:8e" value="0000d1ecf58e"/>
<field name="eth.addr" showname="Source or Destination Address: 00:03:47:75:18:20 (00:03:47:75:18:20)" size="6" pos="0" show="00:03:47:75:18:20" value="000347751820"/>
<field name="eth.addr" showname="Source or Destination Address: 00:00:d1:ec:f5:8e (00:00:d1:ec:f5:8e)" size="6" pos="6" show="00:00:d1:ec:f5:8e" value="0000d1ecf58e"/>
<field name="eth.type" showname="Type: IP (0x0800)" size="2" pos="12" show="0x0800" value="0800"/>
<field name="eth.trailer" showname="Trailer: 00000000000000000000000000000000..." size="18" pos="42" show="00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00" value="00000000000000000000000
<proto name="ip" showname="Internet Protocol, Src Addr: (, Dst Addr: (" size="20" pos="14">
<field name="ip.version" showname="Version: 4" size="1" pos="14" show="4" value="45"/>
<field name="ip.hdr_len" showname="Header length: 20 bytes" size="1" pos="14" show="20" value="45"/>
<field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)" size="1" pos="15" show="0" value="00">
<field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0x00)" size="1" pos="15" show="0x00" value="00"/>
<field name="ip.dsfield.ect" showname=".... ..0. = ECN-Capable Transport (ECT): 0" size="1" pos="15" show="0" value="00"/>
<field name="ip.dsfield.ce" showname=".... ...0 = ECN-CE: 0" size="1" pos="15" show="0" value="00"/>
<field name="ip.len" showname="Total Length: 28" size="2" pos="16" show="28" value="001c"/>
<field name="" showname="Identification: 0x1026 (4134)" size="2" pos="18" show="0x1026" value="1026"/>
<field name="ip.flags" showname="Flags: 0x00" size="1" pos="20" show="0x00" value="00">
<field name="ip.flags.rb" showname="0... = Reserved bit: Not set" size="1" pos="20" show="0" value="00"/>
<field name="ip.flags.df" showname=".0.. = Don't fragment: Not set" size="1" pos="20" show="0" value="00"/>
<field name="" showname="..0. = More fragments: Not set" size="1" pos="20" show="0" value="00"/>
<field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="20" show="0" value="0000"/>
<field name="ip.ttl" showname="Time to live: 53" size="1" pos="22" show="53" value="35"/>
<field name="ip.proto" showname="Protocol: ICMP (0x01)" size="1" pos="23" show="0x01" value="01"/>
<field name="ip.checksum" showname="Header checksum: 0xb8f0 (correct)" size="2" pos="24" show="0xb8f0" value="b8f0"/>
<field name="ip.src" showname="Source: (" size="4" pos="26" show="" value="ac1b1404"/>
<field name="ip.addr" showname="Source or Destination Address: (" size="4" pos="26" show="" value="ac1b1404"/>
<field name="ip.dst" showname="Destination: (" size="4" pos="30" show="" value="c0a83c03"/>
<field name="ip.addr" showname="Source or Destination Address: (" size="4" pos="30" show="" value="c0a83c03"/>
<proto name="icmp" showname="Internet Control Message Protocol" size="8" pos="34">
<field name="icmp.type" showname="Type: 8 (Echo (ping) request)" size="1" pos="34" show="8" value="08"/>
<field name="icmp.code" showname="Code: 0 " size="1" pos="35" show="0x00" value="00"/>
<field name="icmp.checksum" showname="Checksum: 0x6861 (correct)" size="2" pos="36" show="0x6861" value="6861"/>
<field name="icmp.ident" showname="Identifier: 0x809e" size="2" pos="38" show="0x809e" value="809e"/>
<field name="icmp.seq" showname="Sequence number: 0x0f00" size="2" pos="40" show="0x0f00" value="0f00"/>

PDML is related to NetPDL. Both were created at the same Italian university that brought the world Windump.