- MAC Addresses
- Microsoft Network Monitor
- Netplan, Bonding, and VLANs
- Ruckus / Brocade
- The Most Common OpenSSL Commands
|00-00-00 to 00-00-FF||Reserved||[RFC7042]|
|00-01-00 to 00-01-FF||VRRP (Virtual Router Redundancy Protocol)||[RFC5798]|
|00-02-00 to 00-02-FF||VRRP IPv6 (Virtual Router Redundancy Protocol IPv6)||[RFC5798]|
|00-03-00 to 00-51-FF||Unassigned|
|00-52-02||BFD for VXLAN||[RFC8971]|
|00-52-03 to 00-52-12||Unassigned (small allocations)|
|00-52-13||Proxy Mobile IPv6||[RFC6543]|
|00-52-14 to 00-52-FF||Unassigned (small allocations)|
|00-53-00 to 00-53-FF||Documentation||[RFC7042]|
|00-54-00 to 90-00-FF||Unassigned|
|90-01-01 to 90-01-FF||Unassigned (small allocations requiring both unicast and multicast)|
|90-02-00 to FF-FF-FF||Unassigned|
OUIs of virtualization platforms
|Company and Products||MAC unique identifier (s)|
|VMware ESX 3, Server, Workstation, Player||00-50-56, 00-0C-29, 00-05-69|
|Microsoft Hyper-V, Virtual Server, Virtual PC||
|Parallells Desktop, Workstation, Server, Virtuozzo||00-1C-42|
|Virtual Iron 4||00-0F-4B|
|Red Hat Xen||00-16-3E|
|Sun xVM VirtualBox||08-00-27|
Microsoft Network Monitor
I had never heard of this tool until today... I've always used Wireshark. Today I needed to view traffic broken out by application (PID/ProcessName). I went hunting and found the Microsoft Network Monitor. Surprisingly it's very feature rich, easy to use, and did exactly what I needed it to do... and sooo much more. Check it out!
Capturing everything except RDP:
Capture only DNS:
Filter Source or Destination IPv4 Address:
IPv4.Address == 184.108.40.206
Filter Source IPv4 Address:
IPv4.SourceAddress == 220.127.116.11
Filter IPV4 Source and Destination:
IPv4.Address==18.104.22.168 and IPv4.Address==22.214.171.124
Filter IPv4 Source or Destination to subnet:
((ipv4.Address & 255.0.0.0) == 10.0.0.0)
Filter IPv4 traffic to private only traffic (source and destination in RFC-1918 private subnets):
(((IPv4.SourceAddress & 255.0.0.0) == 10.0.0.0) || ((IPv4.SourceAddress & 255.240.0.0) == 172.16.0.0) || ((IPv4.SourceAddress & 255.255.0.0) == 192.168.0.0)) && (((IPv4.DestinationAddress & 255.0.0.0) == 10.0.0.0) || ((IPv4.DestinationAddress & 255.240.0.0) == 172.16.0.0) || ((IPv4.DestinationAddress & 255.255.0.0) == 192.168.0.0))
Filter traffic by ProcessName
The filter below allows you to see if a process is communicating with any other IP address besides the one you listed:
ProcessName.Contains("WindTerm.exe") && IPv4.Address!= 126.96.36.199
Filtering NPS + Azure MFA
The Azure MFA NPS Extension uses HTTPS to communicate with login.microsoftonline.com and credentials.azure.com. The filters below enable capturing related traffic.
Suggested capture filter:
// Suggested capture filter tcp.port == 443 // HTTPS OR udp.port == 1812 // RADIUS OR DNS.Qrecord.QuestionName.contains("login.microsoftonline.com") OR DNS.Qrecord.QuestionName.contains("credentials.azure.com")
Suggested display filter:
// Suggested display filter udp.port==1812 // RADIUS packets OR DNS.Qrecord.QuestionName.contains("login.microsoftonline.com") OR DNS.Qrecord.QuestionName.contains("credentials.azure.com") OR ContainsBin(FrameData, ASCII, "login.microsoftonline.com") // Will show HTTPS certificate negotiation packets OR ContainsBin(FrameData, ASCII, "credentials.azure.com") // Will show HTTPS certificate negotiation packets OR ((ipv4.SourceAddress & 255.255.0.0) == 188.8.131.52) || ((ipv4.DestinationAddress & 255.255.0.0) == 184.108.40.206) OR ((ipv4.SourceAddress & 255.255.0.0) == 220.127.116.11) || ((ipv4.DestinationAddress & 255.255.0.0) == 18.104.22.168)
Example on other sites:
Netplan, Bonding, and VLANs
Creating a bond interface with Netplan
The example below shows two Ethernet interfaces bonded using the active-passive mode.
The following packages are required: ifenslave and vlan
network: version: 2 ethernets: enp1s0: dhcp4: no optional: true enp2s0: dhcp4: no optional: true # match all other ports if desired ethernetPorts: dhcp4: no optional: true match: name: eth*|em*|en* bonds: bond0: interfaces: [ enp1s0, enp2s0, ethernetPorts ] addresses: [ 192.168.168.115/24 ] gateway4: 192.168.168.1 nameservers: search: [ mydomain.com ] addresses: [ 192.168.168.1, 22.214.171.124, 126.96.36.199 ] parameters: mode: active-backup primary: enp1s0 primary-reselect-policy: always mii-monitor-interval: 100 up-delay: 3s # must be a multiple of mii-monitor-interval, make sure its longer than STP/RSTP/MSTP learning interval also # routes: # - to: 10.0.0.0/8 # via: 192.168.168.1 # - to: 172.16.0.0/12 # via: 192.168.168.1 # - to: 192.168.0.0/16 # via: 192.168.168.1
- "optional: true" instructs Netplan to boot the operating system even if the network interface is unavailable or not connected or unavailable. Without this option, the system will not fully boot until all network cables are connected.
- "mii-monitor-interval: 100" must be set to some value or link up / down events will not actually be detected. A value of zero, which is the default, will disable the detection of interface changes, which seems rather counter-intuitive when we're configuring the mode as active-backup.
- "up-delay: 10000" prevents packet loss when connecting an interface. It must be a multiple of the mii-monitor-interval value.
Using a VLAN on a bond interface
This is a configuration using from Ubuntu 18.04 LTS. Two Ethernet interfaces are bonded using the active-passive mode. The untagged bond0 interface is for private traffic, while a public IP address is being delivered to a tagged VLAN sub interface using VLAN 262.
The following packages are required: ifenslave and vlan
network: version: 2 ethernets: enp1s0: dhcp4: no optional: true enp2s0: dhcp4: no optional: true # match all other ports if desired ethernetPorts: dhcp4: no optional: true match: name: eth*|em*|en* bonds: bond0: interfaces: [ enp1s0, enp2s0, ethernetPorts ] addresses: [ 192.168.168.115/24 ] parameters: mode: active-backup primary: enp1s0 primary-reselect-policy: always mii-monitor-interval: 100 up-delay: 3s # must be a multiple of mii-monitor-interval, make sure its longer than STP/RSTP/MSTP learning interval also # routes: # - to: 10.0.0.0/8 # via: 192.168.168.1 # - to: 172.16.0.0/12 # via: 192.168.168.1 # - to: 192.168.0.0/16 # via: 192.168.168.1 vlans: bond0.262: id: 262 link: bond0 addresses: [ 188.8.131.52/28 ] gateway4: 184.108.40.206 nameservers: search: [ servers.domain.com ] addresses: [ 220.127.116.11, 18.104.22.168, 22.214.171.124 ]
In Ubuntu 22.04, even though the netplan configuration is correct, the service systemd-networkd-wait-online.service will wait for 120 seconds if one of the network interfaces is not connected.
In order to get around this, one solution is to add the "--any" option to the ExecStart line as shown below. You can also reduce the default timeout from 120 seconds to 10 seconds by adding the "--timeout=10" option.
On Ubuntu, the file is located at /etc/systemd/system/
On Debian, the file is located at /var/lib/systemd/system/
[Unit] Description=Wait for Network to be Configured Documentation=man:systemd-networkd-wait-online.service(8) DefaultDependencies=no Conflicts=shutdown.target Requires=systemd-networkd.service After=systemd-networkd.service Before=network-online.target shutdown.target [Service] Type=oneshot ExecStart=/lib/systemd/systemd-networkd-wait-online --any --timeout=10 RemainAfterExit=yes [Install] WantedBy=network-online.target
Alternatively, you could just disable and mask the service altogether as it actually isn't needed. If you are going to disable the service, I would strongly recommend adding the two options shown above in addition just in case the service gets re-enabled in the future.
Debian 11 (Raspberry Pi)
On a Raspberry Pi running Debian 11.5, we had a similar issue. We never were able to get rid of the message, but making the above configuration changes made sure the system booted properly regardless of how many Ethernet interfaces were physically connected to switches at boot time.
Error during boot:
[FAILED] Failed to start Wait for Network to be Configured. See 'systemctl status systemd-networkd-wait-online.service' for details.
Output from systemctl status commands:
# OUTPUT FROM systemctl status systemd-networkd-wait-online.service systemd-networkd-wait-online.service - Wait for Network to be Configured Loaded: loaded (/lib/systemd/system/systemd-networkd-wait-online.service; enabled-runtime; vendor preset: disabled) Active: failed (Result: exit-code) since Thu 2023-05-18 17:10:59 BST; 2min 44s ago Docs: man:systemd-networkd-wait-online.service(8) Process: 189 ExecStart=/lib/systemd/systemd-networkd-wait-online (code=exited, status=1/FAILURE) Main PID: 189 (code=exited, status=1/FAILURE) CPU: 148ms Aug 07 14:25:36 6230dea99f07e90f52b5f68b systemd: Starting Wait for Network to be Configured... May 18 17:10:59 6230dea99f07e90f52b5f68b systemd-networkd-wait-online: Event loop failed: Connection timed out May 18 17:10:59 6230dea99f07e90f52b5f68b systemd: systemd-networkd-wait-online.service: Main process exited, code=exited, status=1/FAILURE May 18 17:10:59 6230dea99f07e90f52b5f68b systemd: systemd-networkd-wait-online.service: Failed with result 'exit-code'. May 18 17:10:59 6230dea99f07e90f52b5f68b systemd: Failed to start Wait for Network to be Configured.
cost = reference bandwidth / configured bandwidth of interface in kbps reference bandwidth = 100,000 kbps
|Interface speed||OSPF Cost|
Ruckus / Brocade
The Most Common OpenSSL Commands
General OpenSSL Commands
These commands allow you to generate CSRs, Certificates, Private Keys and do other miscellaneous tasks.
Generate a new private key and Certificate Signing Request
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
Generate a self-signed certificate (see How to Create and Install an Apache Self Signed Certificate for more info)
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
Generate a certificate signing request (CSR) for an existing private key
openssl req -out CSR.csr -key privateKey.key -new
Generate a certificate signing request based on an existing certificate
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
Remove a passphrase from a private key
openssl rsa -in privateKey.pem -out newPrivateKey.pem
Checking Using OpenSSL
If you need to check the information within a Certificate, CSR or Private Key, use these commands. You can also check CSRs and check certificates using our online tools.
Check a Certificate Signing Request (CSR)
openssl req -text -noout -verify -in CSR.csr
Check a private key
openssl rsa -in privateKey.key -check
Check a certificate
openssl x509 -in certificate.crt -text -noout
Check a PKCS#12 file (.pfx or .p12)
openssl pkcs12 -info -in keyStore.p12
Debugging Using OpenSSL
If you are receiving an error that the private doesn't match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands. If you are trying to verify that an SSL certificate is installed correctly, be sure to check out the SSL Checker.
Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key
openssl x509 -noout -modulus -in certificate.crt | openssl md5 openssl rsa -noout -modulus -in privateKey.key | openssl md5 openssl req -noout -modulus -in CSR.csr | openssl md5
Check an SSL connection. All the certificates (including Intermediates) should be displayed
openssl s_client -connect www.paypal.com:443
Converting Using OpenSSL
These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS. Use our SSL Converter to convert certificates without messing with OpenSSL.
Convert a DER file (.crt .cer .der) to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
Convert a PEM file to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
You can add -nocerts to only output the private key or add -nokeys to only output the certificates.
Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
bootp and dhcp
port 67 or port 68
Name resolution protocols
Cisco Discovery Protocol
udp port 53
udp port 5353
Link-local multicast name resolution
udp port 5355
All together now
udp port 53 or udp port 5353 or udp port 5355
Network discovery protocols
An easy way to view discovery protocol traffic from a laptop is by using Wireshark and the capture filters below for CDP, LLDP and MNDP. Use the appropriate capture filter for the type of device you're trying to gather information about, or use all three of them in the same capture filter.
Cisco Discovery Protocol
ether host 01:00:0c:cc:cc:cc and ether[16:4] = 0x0300000C and ether[20:2] == 0x2000
Link Layer Discovery Protocol
ether proto 0x88cc
Mikrotik Discovery Protocol
udp dst port 5678 and udp src port 5678
All three of the above capture filters in one:
(ether host 01:00:0c:cc:cc:cc and ether[16:4] = 0x0300000C and ether[20:2] == 0x2000) or (ether proto 0x88cc) or (udp dst port 5678 and udp src port 5678)
Capturing on an interval in Linux
The command below will capture all traffic to/from 126.96.36.199. A new capture file will be created every 600 seconds (10 minutes).
dumpcap -b duration:600 -f "host 188.8.131.52" -w capture-google
Mikrotik Packet Capture Streaming
To accept only TZSP traffic, Capture Filter like this can be used:
udp port 37008
Note that TZSP can be sent on any UDP port you set it to, so adjust the above capture as needed.
This is typically needed when running tshark on Windows.
tshark -D thsark -i <interface_id>
# capture only udp dns packets tshark -f "udp port 53"
# save packets (doesn't display packets) tsharp -f "udp port 37008" -w captured.pcap # save and display packets tsharp -f "udp port 37008" -w captured.pcap -P # save and display packets with LOTS of detail tsharp -f "udp port 37008" -w captured.pcap -P -O dns -V
Options are duration:[seconds], filesize:[KB], and files:[n].
tshark -a duration:60 tshark -a filesize:1000
Ring Buffer Capture
tshark -b duration:3600 -b filesize:1000 -b files:24 -w ring_buffer.pcap tshark -b duration:86400 -b filesize:1000 -b files:30 -w ring_buffer.pcap
# TZSP stream capture on specific interface tshark -f "udp port 37008" -i 5 # TZSP stream capture on alternate udp port, uses decode as feature tshark -f "udp port 37091" -d udp.port==37091,tzsp