Networking

MAC Addresses

MAC OUI

 

Reserved OUIs

Addresses Usage Reference
00-00-00 to 00-00-FF Reserved [RFC7042]
00-01-00 to 00-01-FF VRRP (Virtual Router Redundancy Protocol) [RFC5798]
00-02-00 to 00-02-FF VRRP IPv6 (Virtual Router Redundancy Protocol IPv6) [RFC5798]
00-03-00 to 00-51-FF Unassigned  
00-52-00 PacketPWEthA [RFC6658]
00-52-01 PacketPWEthB [RFC6658]
00-52-02 BFD for VXLAN [RFC8971]
00-52-03 to 00-52-12 Unassigned (small allocations)  
00-52-13 Proxy Mobile IPv6 [RFC6543]
00-52-14 to 00-52-FF Unassigned (small allocations)  
00-53-00 to 00-53-FF Documentation [RFC7042]
00-54-00 to 90-00-FF Unassigned  
90-01-00 TRILL OAM [RFC7455]
90-01-01 to 90-01-FF Unassigned (small allocations requiring both unicast and multicast)  
90-02-00 to FF-FF-FF Unassigned  

Source

OUIs of virtualization platforms

Company and Products MAC unique identifier (s)
VMware ESX 3, Server, Workstation, Player 00-50-56, 00-0C-29, 00-05-69
Microsoft Hyper-V, Virtual Server, Virtual PC

00-03-FF

00-15-5D

Parallells Desktop, Workstation, Server, Virtuozzo 00-1C-42
Virtual Iron 4 00-0F-4B
Red Hat Xen 00-16-3E
Oracle VM 00-16-3E
XenSource 00-16-3E
Novell Xen 00-16-3E
Sun xVM VirtualBox 08-00-27

Source

End

Microsoft Network Monitor

I had never heard of this tool until today... I've always used Wireshark. Today I needed to view traffic broken out by application (PID/ProcessName). I went hunting and found the Microsoft Network Monitor. Surprisingly it's very feature rich, easy to use, and did exactly what I needed it to do... and sooo much more. Check it out!

Example Filters

Capturing everything except RDP:

!(tcp.port==3389)

Capture only DNS:

DNS

Filter Source or Destination IPv4 Address:

IPv4.Address == 1.1.1.1

Filter Source IPv4 Address:

IPv4.SourceAddress == 1.1.1.1

Filter IPV4 Source and Destination:

IPv4.Address==1.1.1.1 and IPv4.Address==2.2.2.2

Filter IPv4 Source or Destination to subnet:

((ipv4.Address & 255.0.0.0) == 10.0.0.0)

Filter IPv4 traffic to private only traffic (source and destination in RFC-1918 private subnets):

(((IPv4.SourceAddress & 255.0.0.0) == 10.0.0.0) || ((IPv4.SourceAddress & 255.240.0.0) == 172.16.0.0) || ((IPv4.SourceAddress & 255.255.0.0) == 192.168.0.0))
&&
(((IPv4.DestinationAddress & 255.0.0.0) == 10.0.0.0) || ((IPv4.DestinationAddress & 255.240.0.0) == 172.16.0.0) || ((IPv4.DestinationAddress & 255.255.0.0) == 192.168.0.0))

Filter traffic by ProcessName

The filter below allows you to see if a process is communicating with any other IP address besides the one you listed:

ProcessName.Contains("WindTerm.exe") && IPv4.Address!= 9.9.9.9

Filtering NPS + Azure MFA

The Azure MFA NPS Extension uses HTTPS to communicate with login.microsoftonline.com and credentials.azure.com. The filters below enable capturing related traffic.

Suggested capture filter:

// Suggested capture filter
tcp.port == 443         // HTTPS
OR udp.port == 1812     // RADIUS
OR DNS.Qrecord.QuestionName.contains("login.microsoftonline.com")
OR DNS.Qrecord.QuestionName.contains("credentials.azure.com")

Suggested display filter:

// Suggested display filter
udp.port==1812 // RADIUS packets
OR DNS.Qrecord.QuestionName.contains("login.microsoftonline.com")
OR DNS.Qrecord.QuestionName.contains("credentials.azure.com")
OR ContainsBin(FrameData, ASCII, "login.microsoftonline.com") // Will show HTTPS certificate negotiation packets
OR ContainsBin(FrameData, ASCII, "credentials.azure.com")     // Will show HTTPS certificate negotiation packets
OR ((ipv4.SourceAddress & 255.255.0.0) == 20.190.0.0) || ((ipv4.DestinationAddress & 255.255.0.0) == 20.190.0.0)
OR ((ipv4.SourceAddress & 255.255.0.0) == 40.126.0.0) || ((ipv4.DestinationAddress & 255.255.0.0) == 40.126.0.0)

Example on other sites:


-end

Netplan, Bonding, and VLANs

Creating a bond interface with Netplan

The example below shows two Ethernet interfaces bonded using the active-passive mode.

The following packages are required: ifenslave and vlan

network:
  version: 2
  ethernets:
    enp1s0:
      dhcp4: no
      optional: true
    enp2s0:
      dhcp4: no
      optional: true
    # match all other ports if desired
    ethernetPorts:
      dhcp4: no
      optional: true
      match:
        name: eth*|em*|en*
  bonds:
    bond0:
      interfaces: [ enp1s0, enp2s0, ethernetPorts ]
      addresses: [ 192.168.168.115/24 ]
      gateway4: 192.168.168.1
      nameservers:
        search: [ mydomain.com ]
        addresses: [ 192.168.168.1, 8.8.8.8, 8.8.4.4 ]
      parameters:
        mode: active-backup
        primary: enp1s0
        primary-reselect-policy: always
        mii-monitor-interval: 100
        up-delay: 3s # must be a multiple of mii-monitor-interval, make sure its longer than STP/RSTP/MSTP learning interval also
#      routes:
#        - to: 10.0.0.0/8
#          via: 192.168.168.1
#        - to: 172.16.0.0/12
#          via: 192.168.168.1
#        - to: 192.168.0.0/16
#          via: 192.168.168.1

Notes:

Using a VLAN on a bond interface

This is a configuration using from Ubuntu 18.04 LTS. Two Ethernet interfaces are bonded using the active-passive mode. The untagged bond0 interface is for private traffic, while a public IP address is being delivered to a tagged VLAN sub interface using VLAN 262.

The following packages are required: ifenslave and vlan

network:
  version: 2
  ethernets:
    enp1s0:
      dhcp4: no
      optional: true
    enp2s0:
      dhcp4: no
      optional: true
    # match all other ports if desired
    ethernetPorts:
      dhcp4: no
      optional: true
      match:
        name: eth*|em*|en*
  bonds:
    bond0:
      interfaces: [ enp1s0, enp2s0, ethernetPorts ]
      addresses: [ 192.168.168.115/24 ]
      parameters:
        mode: active-backup
        primary: enp1s0
        primary-reselect-policy: always
        mii-monitor-interval: 100
        up-delay: 3s # must be a multiple of mii-monitor-interval, make sure its longer than STP/RSTP/MSTP learning interval also
#      routes:
#        - to: 10.0.0.0/8
#          via: 192.168.168.1
#        - to: 172.16.0.0/12
#          via: 192.168.168.1
#        - to: 192.168.0.0/16
#          via: 192.168.168.1

  vlans:
    bond0.262:
        id: 262
        link: bond0
        addresses: [ 1.1.1.123/28 ]
        gateway4: 1.1.1.113
        nameservers:
            search: [ servers.domain.com ]
            addresses: [ 1.1.1.113, 8.8.8.8, 8.8.4.4 ]

systemd-networkd-wait-online.service

Ubuntu 22.04

In Ubuntu 22.04, even though the netplan configuration is correct, the service systemd-networkd-wait-online.service will wait for 120 seconds if one of the network interfaces is not connected.

In order to get around this, one solution is to add the "--any" option to the ExecStart line as shown below. You can also reduce the default timeout from 120 seconds to 10 seconds by adding the "--timeout=10" option.

On Ubuntu, the file is located at /etc/systemd/system/
On Debian, the file is located at /var/lib/systemd/system/

[Unit]
Description=Wait for Network to be Configured
Documentation=man:systemd-networkd-wait-online.service(8)
DefaultDependencies=no
Conflicts=shutdown.target
Requires=systemd-networkd.service
After=systemd-networkd.service
Before=network-online.target shutdown.target

[Service]
Type=oneshot
ExecStart=/lib/systemd/systemd-networkd-wait-online --any --timeout=10
RemainAfterExit=yes

[Install]
WantedBy=network-online.target

Alternatively, you could just disable and mask the service altogether as it actually isn't needed. If you are going to disable the service, I would strongly recommend adding the two options shown above in addition just in case the service gets re-enabled in the future.

Debian 11 (Raspberry Pi)

On a Raspberry Pi running Debian 11.5, we had a similar issue. We never were able to get rid of the message, but making the above configuration changes made sure the system booted properly regardless of how many Ethernet interfaces were physically connected to switches at boot time.

Error during boot:

[FAILED] Failed to start Wait for Network to be Configured.
See 'systemctl status systemd-networkd-wait-online.service' for details.

Output from systemctl status commands:

# OUTPUT FROM systemctl status systemd-networkd-wait-online.service
    systemd-networkd-wait-online.service - Wait for Network to be Configured
     Loaded: loaded (/lib/systemd/system/systemd-networkd-wait-online.service; enabled-runtime; vendor preset: disabled)
     Active: failed (Result: exit-code) since Thu 2023-05-18 17:10:59 BST; 2min 44s ago
       Docs: man:systemd-networkd-wait-online.service(8)
    Process: 189 ExecStart=/lib/systemd/systemd-networkd-wait-online (code=exited, status=1/FAILURE)
   Main PID: 189 (code=exited, status=1/FAILURE)
        CPU: 148ms

Aug 07 14:25:36 6230dea99f07e90f52b5f68b systemd[1]: Starting Wait for Network to be Configured...
May 18 17:10:59 6230dea99f07e90f52b5f68b systemd-networkd-wait-online[189]: Event loop failed: Connection timed out
May 18 17:10:59 6230dea99f07e90f52b5f68b systemd[1]: systemd-networkd-wait-online.service: Main process exited, code=exited, status=1/FAILURE
May 18 17:10:59 6230dea99f07e90f52b5f68b systemd[1]: systemd-networkd-wait-online.service: Failed with result 'exit-code'.
May 18 17:10:59 6230dea99f07e90f52b5f68b systemd[1]: Failed to start Wait for Network to be Configured.

References

https://netplan.io/examples

https://www.freedesktop.org/software/systemd/man/systemd-networkd-wait-online.service.html


OSPF

OSPF Cost

cost = reference bandwidth / configured bandwidth of interface in kbps

reference bandwidth = 100,000 kbps
Interface speed OSPF Cost
100 Mbps 1
10 Mbps 10
6 Mbps 17
5 Mbps 20
4 Mbps 25
3 Mbps 33
2 Mbps 50
1.5 Mbps 67
1 Mbps 100
768 Kbps 130
512 Kbps 195
384 Kbps 260
256 Kbps 391
128 Kbps 781
64 Kbps 1563

 

Ruckus / Brocade

https://robrobstation.com/2017/07/17/ruckus-icx7150-c12p-initial-configuration/

 

The Most Common OpenSSL Commands

General OpenSSL Commands

These commands allow you to generate CSRs, Certificates, Private Keys and do other miscellaneous tasks.

Generate a new private key and Certificate Signing Request

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

Generate a self-signed certificate (see How to Create and Install an Apache Self Signed Certificate for more info)

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt

Generate a certificate signing request (CSR) for an existing private key

openssl req -out CSR.csr -key privateKey.key -new

Generate a certificate signing request based on an existing certificate

openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key

Remove a passphrase from a private key

openssl rsa -in privateKey.pem -out newPrivateKey.pem

Checking Using OpenSSL

If you need to check the information within a Certificate, CSR or Private Key, use these commands. You can also check CSRs and check certificates using our online tools.

Check a Certificate Signing Request (CSR)

openssl req -text -noout -verify -in CSR.csr

Check a private key

openssl rsa -in privateKey.key -check

Check a certificate

openssl x509 -in certificate.crt -text -noout

Check a PKCS#12 file (.pfx or .p12)

openssl pkcs12 -info -in keyStore.p12

Debugging Using OpenSSL

If you are receiving an error that the private doesn't match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands. If you are trying to verify that an SSL certificate is installed correctly, be sure to check out the SSL Checker.

Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key

openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5

Check an SSL connection. All the certificates (including Intermediates) should be displayed

openssl s_client -connect www.paypal.com:443

Converting Using OpenSSL

These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS. Use our SSL Converter to convert certificates without messing with OpenSSL.

Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert a PEM file to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Source

Wireshark

Capture Filters

bootp and dhcp

Source

port 67 or port 68

Name resolution protocols

DNS

Cisco Discovery Protocol

udp port 53

mDNS

udp port 5353

LLMNR

Link-local multicast name resolution

udp port 5355

All together now

udp port 53 or udp port 5353 or udp port 5355

Network discovery protocols

An easy way to view discovery protocol traffic from a laptop is by using Wireshark and the capture filters below for CDP, LLDP and MNDP. Use the appropriate capture filter for the type of device you're trying to gather information about, or use all three of them in the same capture filter.

CDP

Cisco Discovery Protocol

ether host 01:00:0c:cc:cc:cc and ether[16:4] = 0x0300000C and ether[20:2] == 0x2000

LLDP

ether proto 0x88cc

MNDP

Mikrotik Discovery Protocol

udp dst port 5678 and udp src port 5678

CDP/LLDP/MNDP

All three of the above capture filters in one:

(ether host 01:00:0c:cc:cc:cc and ether[16:4] = 0x0300000C and ether[20:2] == 0x2000) or (ether proto 0x88cc) or (udp dst port 5678 and udp src port 5678)

Capturing on an interval in Linux

The command below will capture all traffic to/from 8.8.8.8. A new capture file will be created every 600 seconds (10 minutes).

dumpcap -b duration:600 -f "host 8.8.8.8" -w capture-google

Mikrotik Packet Capture Streaming

To accept only TZSP traffic, Capture Filter like this can be used:

udp port 37008

Note that TZSP can be sent on any UDP port you set it to, so adjust the above capture as needed.

Using tshark

Interface List

This is typically needed when running tshark on Windows.

tshark -D
thsark -i <interface_id>

Capture Filter

# capture only udp dns packets
tshark -f "udp port 53"

Saving Packets

# save packets (doesn't display packets)
tsharp -f "udp port 37008" -w captured.pcap

# save and display packets
tsharp -f "udp port 37008" -w captured.pcap -P

# save and display packets with LOTS of detail
tsharp -f "udp port 37008" -w captured.pcap -P -O dns -V

Automatic stop

Options are duration:[seconds], filesize:[KB], and files:[n].

tshark -a duration:60
tshark -a filesize:1000

Ring Buffer Capture

tshark -b duration:3600 -b filesize:1000 -b files:24 -w ring_buffer.pcap
tshark -b duration:86400 -b filesize:1000 -b files:30 -w ring_buffer.pcap

Practical examples

# TZSP stream capture on specific interface
tshark -f "udp port 37008" -i 5

# TZSP stream capture on alternate udp port, uses decode as feature
tshark -f "udp port 37091" -d udp.port==37091,tzsp