ip

iproute2
IPROUTE2 Utility Suite Howto
VLAN for iproute2

ip [ OPTIONS ] OBJECT [ COMMAND [ ARGUMENTS ]]

link      - physical or logical network device.
address   - protocol (IPv4 or IPv6) address on a device.
neighbour - ARP or NDISC cache entry.
route     - routing table entry.
rule      - rule in routing policy database.
maddress  - multicast address.
mroute    - multicast routing cache entry.
tunnel    - tunnel over IP.

# Add IPv4 address
$ ip addr add 10.41.0.2/8 dev eth0

# Bring interface up
$ ip link set eth0 up

# Add VLAN virtual interface
$ ip link add link eth0 name eth0.100 type vlan id 100

# Add IPv4 address to VLAN virtual interface and bring it up
$ ip addr add 192.168.100.1/24 brd 192.168.100.255 dev eth0.100
$ ip link set dev eth0.100 up

ifconfig

arp, ifconfig, ipmaddr, iptunnel, route, nameif, mii-tool
net-tools (obsolete)

Alexey V. Khoroshilov

OSADL
Petr N. Devyanin, Alexey V. Khoroshilov, Victor V. Kuliamin, Alexander K. Petrenko, Ilya V. Shchepetkov
Institute for System Programming (ISP) of the Russian Academy of Sciences (RAS)
Formal Verification of OS Security Model with Alloy and Event-B
LinkedIn: Alexey Khoroshilov
dblp: computer science bibliography
UniTESK at Embedded World 2014
LinuxTesting Slides of our talks at LinuxCon Europe 2011

Dmitri Kasakow

VK: Dmitri Kasakow
Staatliche Technische Universität Moskau (MSTU)
BlogSpot: dimula73
launchpad: dimula73
github: dimula73
Kickstarker: Krita

Nicolas Voirol

Facebook
LinkedIn

Julien Griessen

Facebook

Boris Guerdat

Facebook

Sébastien Grau

Facebook

RFC 1034 – Domain names – concepts and facilities, November 1987
RFC 1035 – Domain names – implementation and specification, November 1987
RFC 1886 – DNS Extensions to support IP version 6, December 1995
RFC 2136 – Dynamic Updates in the Domain Name System (DNS UPDATE), April 1997
RFC 2308 – Negative Caching of DNS Queries (DNS NCACHE), March 1998
RFC 2535 – Domain Name System Security Extensions, March 1999
RFC DRAFT – A New Scheme for the Compression of Domain Names, June 1999 (not used?)
RFC 2874 – DNS Extensions to Support IPv6 Address Aggregation and Renumbering, July 2000
RFC 3225 – Indicating Resolver Support of DNSSEC, December 2001
RFC 3775 – Legacy Resolver Compatibility for Delegation Signer (DS), May 2004
RFC 4033 – DNS Security Introduction and Requirements, March 2005
RFC 4034 – Resource Records for the DNS Security Extensions, March 2005
RFC 4035 – Protocol Modifications for the DNS Security Extensions, March 2005
RFC 5155 – DNS Security (DNSSEC) Hashed Authenticated Denial of Existence, March 2008
RFC 6840 – Clarifications and Implementation Notes for DNS Security (DNSSEC), February 2013
RFC 6891 – Extension Mechanisms for DNS (EDNS(0)), April 2013 (OPT RR)
RFC 6895 – Domain Name System (DNS) IANA Considerations, April 2013

DNS Message Header and Question Section Format

O’Reilly DNS & BIND: C Programming with the Resolver Library Routines

Compressed Data

|   64 32 16| 8  4  2  1|   64 32 16| 8  4  2  1|
| 8  4  2  1| 8  4  2  1| 8  4  2  1| 8  4  2  1|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| 1 1 |                OFFSET                   |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

The first two bits are ones. This allows a pointer to be distinguished from a label, since the label
must begin with two zero bits because labels are restricted to 63 octets or less.

00 0D B9 35 88 B4 00 1B  21 5C 22 01 08 00 45 00  ...5....!\"...E.
00 77 5D B5 00 00 3B 11  AC CA A0 55 C0 64 0A 29  .w]...;....U.d.)
0A 14 00 35 83 7B 00 63  CE A1 A2 20 81 80 00 01  ...5.{.c... .�..
00 04 00 00 00 00 06 67  6F 6F 67 6C 65 02 63 68  .......google.ch
00 00 01 00 01 C0 0C 00  01 00 01 00 00 00 CE 00  ................
04 AD C2 74 2F C0 0C 00  01 00 01 00 00 00 CE 00  ...t/...........
04 AD C2 74 37 C0 0C 00  01 00 01 00 00 00 CE 00  ...t7...........
04 AD C2 74 38 C0 0C 00  01 00 01 00 00 00 CE 00  ...t8...........
04 AD C2 74 3F                                    ...t?

Ethernet Header

00 0D B9 35 88 B4 00 1B  21 5C 22 01 08 00        ...5....!\"...

Ethernet
   |-Destination MAC                    00:0d:b9:35:88:b4
   |-Source MAC                         00:1b:21:5c:22:01
   |-Type                               IPv4            (0x0800)

IP Header

                                           45 00                E.
00 77 5D B5 00 00 3B 11  AC CA A0 55 C0 64 0A 29  .w]...;....U.d.)
0A 14

IPv4 Header
   |-IP Version                         4
   |-IP Header Length                   5 dwords or 20 bytes
   |-Differentiated Service             0x00
   |-IP Total Length                    119 bytes
   |-Identification                     0x5db5          (23989)
   |-Flags                              0x0000          (0)
      |-Don't Fragment Field            no set         
      |-More Fragment Field             no set         
   |-Fragment Offset                    0x0000          (0)
   |-TTL                                59
   |-Protocol                           UDP             (17)
   |-Checksum                           0xacca          (44234)
   |-Source IP                          160.85.192.100  (0x64c055a0)
   |-Destination IP                     10.41.10.20     (0x140a290a)

UDP Header

.     00 35 83 7B 00 63  CE A1                      .5.{.c..

UDPv4 Header
   |-Source Port                        DNS             (53)
   |-Destination Port                   unknow          (33659)
   |-UDP Length                         99 Bytes
   |-UDP Checksum                       0xcea1          (52897)

DNS Header

                               A2 20 81 80 00 01            . .�..
00 04 00 00 00 00                                 ......

DNS Header
   |-Identifier                         0xa220          (41504)
   |-Flags                              0x8180          (33152)
      |-Query / Response     (qr)       Response
      |-Operation Code       (opcode)   Query           (0x0000)
      |-Authoritative Answer (aa)       not set
      |-Truncation           (tc)       not set
      |-Recursion Desired    (rd)       set
      |-Recursion Available  (ra)       set
      |-Authentic Data       (ad)       not set
      |-Checking Disabled    (cd)       not set
      |-Response Code        (rcode)    No Error (0)
   |-Questions                          1               (0x0001)
   |-Answer RRs                         4               (0x0004)
   |-Authority RRs                      0               (0x0000)
   |-Additional RRs                     0               (0x0000)

Query

QNAME (n labels), QTYPE, QCLASS

                 len value             len value
len = zero        06 67  6F 6F 67 6C 65 02 63 68        .google.ch
00 00 01 00 01
   qtype qclass

Answer

NAME (n labels), TYPE, CLASS, TTL, RDLENGTH, RDATA

               link (16-bit)
   value       C0 0C 00  01 00 01 00 00 00 CE 00       ...........
04 AD C2 74 2F       type   class ttl         len ...t/

               C0 0C 00  01 00 01 00 00 00 CE 00       ...........
04 AD C2 74 37                                    ...t7

               C0 0C 00  01 00 01 00 00 00 CE 00       ...........
04 AD C2 74 38                                    ...t8

               C0 0C 00  01 00 01 00 00 00 CE 00       ...........
04 AD C2 74 3F                                    ...t?

cb f3 81 80 00 01 00 02 00 00 00 00 07 61 6e 64
72 6f 69 64 0a 77 65 61 74 68 65 72 70 72 6f 0a
6d 65 74 65 6f 67 72 6f 75 70 02 64 65 00 00 01
00 01 c0 0c 00 05 00 01 00 00 00 af 00 1d 0c 6c
62 77 65 61 74 68 65 72 70 72 6f 0a 6d 65 74 65
6f 67 72 6f 75 70 03 63 6f 6d 00 c0 3e 00 01 00
01 00 00 02 53 00 04 c2 35 00 aa

DNS Header:

cb f3 81 80 00 01 00 02 00 00 00 00

Query:

07 61 6e 64
72 6f 69 64 0a 77 65 61 74 68 65 72 70 72 6f 0a
6d 65 74 65 6f 67 72 6f 75 70 02 64 65 00 00 01
00 01

Answer:

c0 0c 00 05 00 01 00 00 00 af 00 1d 0c 6c
62 77 65 61 74 68 65 72 70 72 6f 0a 6d 65 74 65
6f 67 72 6f 75 70 03 63 6f 6d 00

c0 0c 00 05 00 01 00 00 00 af 00 1d 0c 6c ………….l
62 77 65 61 74 68 65 72 70 72 6f 0a 6d 65 74 65 bweatherpro.mete
6f 67 72 6f 75 70 03 63 6f 6d 00 c0 3e 00 01 00 ogroup.com..>…
01 00 00 02 53 00 04 c2 35 00 aa ….S…5..

c0 0c 00 05 00 01 00 00 00 af 00 1d 0c 6c ………….l
62 77 65 61 74 68 65 72 70 72 6f 0a 6d 65 74 65 bweatherpro.mete
6f 67 72 6f 75 70 03 63 6f 6d 00 c0 3e 00 01 00 ogroup.com..>…
01 00 00 02 53 00 04 c2 35 00 aa ….S…5..

cb f3 81 80 00 01 00 02 00 00 00 00 07 61 6e 64 ………….and
72 6f 69 64 0a 77 65 61 74 68 65 72 70 72 6f 0a roid.weatherpro.
6d 65 74 65 6f 67 72 6f 75 70 02 64 65 00 00 01 meteogroup.de…
00 01 c0 0c 00 05 00 01 00 00 00 af 00 1d 0c 6c ……………l
62 77 65 61 74 68 65 72 70 72 6f 0a 6d 65 74 65 bweatherpro.mete
6f 67 72 6f 75 70 03 63 6f 6d 00 c0 3e 00 01 00 ogroup.com..>…
01 00 00 02 53 00 04 c2 35 00 aa ….S…5..

Multiple Questions in the same Request-Packet

can a dns packet have (question section > 1)
Some thoughts on QDCOUNT
Requesting A and AAAA records in single DNS query

4.1.1. Header section format
The header contains the following fields:
                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                      ID                       |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |QR|   Opcode  |AA|TC|RD|RA|   Z    |   RCODE   |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                    QDCOUNT                    |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                    ANCOUNT                    |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                    NSCOUNT                    |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                    ARCOUNT                    |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

3.2.2. The CD Bit
   The CD bit exists in order to allow a security-aware resolver to
   disable signature validation in a security-aware name server's
   processing of a particular query

3.2.3. The AD Bit
   The name server side of a security-aware recursive name server MUST
   NOT set the AD bit in a response unless the name server considers all
   RRsets in the Answer and Authority sections of the response to be
   authentic.  The name server side SHOULD set the AD bit if and only if
   the resolver side considers all RRsets in the Answer section and any
   relevant negative response RRs in the Authority section to be
   authentic.

2. DNS Query/Response Headers


   The header for DNS queries and responses contains field/bits in the
   following diagram taken from [RFC2136]:

                                            1  1  1  1  1  1
              0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
             +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
             |                      ID                       |
             +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
             |QR|   OpCode  |AA|TC|RD|RA| Z|AD|CD|   RCODE   |
             +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
             |                QDCOUNT/ZOCOUNT                |
             +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
             |                ANCOUNT/PRCOUNT                |
             +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
             |                NSCOUNT/UPCOUNT                |
             +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
             |                    ARCOUNT                    |
             +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

Stream Control Transmission Protocol (SCTP)

besser als TCP!

Filter

Capture Filter (tshark -f): BPF syntax
Display Filter (tshark -Y): Wireshark syntax

Wireshark Wiki: Capture Filters
Ask Wireshark: what is the difference between capture filter and display filter?
Ask Wireshark: Changing Display Filter to Capture Filter

TShark

Tshark column fields
Bug 10201 – col.Protocol missing from tshark 1.11.3 and 1.12.0-rc2

# tshark -i re0 -T fields -e frame.number -e ip.addr -e udp -e _ws.col.info
Capturing on 're0'
[...]
44      172.21.5.130,224.0.0.252        User Datagram Protocol, Src Port: 55317 (55317), Dst Port: 5355 (5355)
45      172.21.5.69,239.255.255.250     User Datagram Protocol, Src Port: 1900 (1900), Dst Port: 1900 (1900)

Video

Troubleshooting with Wireshark – Virtual Tour

• FreeRTOS, FreeRTOS Real Time Kernel (RTOS)
• Zephyr Project
• Apache Mynewt
• Apache NuttX
• Contiki
• RIOT
• Mbed OS
• TinyOS
• LiteOS

RTEMS

RTEMS Real Time Operating System (RTOS)
RTEMS Real Time Operating System (Commercial)

FreeRTOS

Porting FreeRTOS+UDP to a Different Microcontroller

Comparison

Comparison of these RTOS
Zephyr – An Operating System for IoT

Direct Memory Access und Bus Mastering, aus O’Reilly Linux-Gerätetreiber, 2. Auflage, April 2002

mikrocontroller.net

DMA
ARM MP3/AAC Player
LwIp-Stack: Raw Ethernet Packete senden
STM32F4 RCC Enable-Problem

Wikipedia

Speicherdirektzugriff, Direct Memory Access (DMA)
Remote direct memory access
RDMA over Converged Ethernet

opensource.apple.com: ping.c

/*
 * pinger --
 *	Compose and transmit an ICMP ECHO REQUEST packet.  The IP packet
 * will be added on by the kernel.  The ID field is our UNIX process ID,
 * and the sequence number is an ascending integer.  The first TIMEVAL_LEN
 * bytes of the data portion are used to hold a UNIX "timeval" struct in
 * host byte-order, to compute the round-trip time.
 */
static void
pinger(void)
{
    [...]
    if ((options & F_TIME) || timing) {
        (void)gettimeofday(&now, NULL);

        if (options & F_TIME)
            icp->icmp_otime = htonl((now.tv_sec % (24*60*60)) * 1000 + now.tv_usec / 1000);
        if (timing)
            bcopy((void *)&now, (void *)&outpack[ICMP_MINLEN + phdr_len], sizeof(struct timeval));
    }
    [...]
}

typedef u_int32_t n_time;       /* ms since 00:00 GMT, byte rev */

#define icmp_otime      icmp_dun.id_ts.its_otime
#define icmp_rtime      icmp_dun.id_ts.its_rtime
#define icmp_ttime      icmp_dun.id_ts.its_ttime

struct icmp {
        u_char  icmp_type;              /* type of message, see below */
        u_char  icmp_code;              /* type sub code */
        u_short icmp_cksum;             /* ones complement cksum of struct */
        union {
                u_char ih_pptr;                 /* ICMP_PARAMPROB */
                struct in_addr ih_gwaddr;       /* ICMP_REDIRECT */
                struct ih_idseq {
                        n_short icd_id;
                        n_short icd_seq;
                } ih_idseq;
                int ih_void;

                /* ICMP_UNREACH_NEEDFRAG -- Path MTU Discovery (RFC1191) */
                struct ih_pmtu {
                        n_short ipm_void;
                        n_short ipm_nextmtu;
                } ih_pmtu;

                struct ih_rtradv {
                        u_char irt_num_addrs;
                        u_char irt_wpa;
                        u_int16_t irt_lifetime;
                } ih_rtradv;
        } icmp_hun;
        union {
                struct id_ts {                  /* ICMP Timestamp */
                        n_time its_otime;       /* Originate */
                        n_time its_rtime;       /* Receive */
                        n_time its_ttime;       /* Transmit */
                } id_ts;
                struct id_ip  {
                        struct ip idi_ip;
                        /* options and then 64 bits of data */
                } id_ip;
                struct icmp_ra_addr id_radv;
                u_int32_t id_mask;
                char    id_data[1];
        } icmp_dun;
};

Wireshark-bugs: For ICMP Time Response, In detail pane, Timestamp is incorrectly decoded for MS Windows

Reference (1):
http://tools.ietf.org/html/rfc778
…
“The timestamp values are in milliseconds from midnight
UT and are stored right-justified in the 32-bit fields shown
above. Ordinarily, all time calculations are performed
modulo-24 hours in milliseconds.”

/* Converts a little-endian byte order unsigned long to host byte order. */
uint32 LETOHL(uint32 ul);

/*
 * RFC 792 for basic ICMP.
 * RFC 1191 for ICMP_FRAG_NEEDED (with MTU of next hop).
 * RFC 1256 for router discovery messages.
 * RFC 2002 and 3012 for Mobile IP stuff.
 */
static void
dissect_icmp(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree)
{
    [...]

    /* Decode the second 4 bytes of the packet. */
    switch (icmp_type) {
    
    [...]
    
    case ICMP_ECHOREPLY:
    case ICMP_ECHO:
        
        [...]
        
        /* Interpret the first 8 bytes of the icmp data as a timestamp
         * But only if it does look like it's a timestamp.
         *
         * FIXME:
         *    Timestamps could be in different formats depending on the OS
         */
        ts.secs  = tvb_get_ntohl(tvb, 8);
        ts.nsecs = tvb_get_ntohl(tvb, 8 + 4);   /* Leave at microsec resolution for now */
        
        if (abs((guint32) (ts.secs - pinfo->fd->abs_ts.secs)) >=
            3600 * 24 || ts.nsecs >= 1000000) {
            /* Timestamp does not look right in BE, try LE representation */
            ts.secs  = tvb_get_letohl(tvb, 8);
            ts.nsecs = tvb_get_letohl(tvb, 8 + 4);  /* Leave at microsec resolution for now */
        }
        if (abs((guint32) (ts.secs - pinfo->fd->abs_ts.secs)) < 3600 * 24 && ts.nsecs < 1000000) {
            ts.nsecs *= 1000;   /* Convert to nanosec resolution */
            proto_tree_add_time(icmp_tree, hf_icmp_data_time,
                                tvb, 8, 8, &ts);
            nstime_delta(&time_relative, &pinfo->fd->abs_ts,
                         &ts);
            ti = proto_tree_add_time(icmp_tree,
                                     hf_icmp_data_time_relative,
                                     tvb, 8, 8,
                                     &time_relative);
            PROTO_ITEM_SET_GENERATED(ti);
            call_dissector(data_handle,
                       tvb_new_subset_remaining(tvb,
                                8 + 8),
                       pinfo, icmp_tree);
        } else {
            call_dissector(data_handle,
                       tvb_new_subset_remaining(tvb, 8),
                       pinfo, icmp_tree);
        }
        break;
        
        [...]
    }
    
    [...]
}

Presentation

PF, The OpenBSD Packet Filter: Building The Network You Need, EuroBSDCon 2015, Stockholm, Sweden, October 1st 2015

Tutorials & HowTos

Pf Firewall “how to” – FreeBSD and OpenBSD ( pf.conf )
Paket Filter (PF) von OpenBSD und ALTQ
Getting AltQ working in pf.conf (limiting inbound Tor traffic)
PF Firewall Quick Guide
FreeBSD Tuning and Optimization – performance modifications for 1gig and 10gig networks

Statistics

pfstat
ALTQ statistics?

ntop (Official)
ntopng – High-Speed Web-based Traffic Analysis and Flow Collection (Official)
ntop (Wikipedia)
NTop
Network Monitoring Using Free Linux Tools
Unveiling Application Visibility in ntop and nProbe (both in NetFlow v9 and IPFIX)

FAQ

Table not found

Couldn't manipulate device /dev/pf: No such process

table <hacker> persist {
}

$ pfctl -n -f /etc/pf.conf       # Parse the configuration file, do not actually load rules
$ pfctl -T load -f /etc/pf.conf  # Load only the table definitions
$ pfctl -t hacker -T show        # Show the content of a table

RRDTool – tutorial and graph examples (OpenBSD with pf)
rrd-beginners

Network usage

Network Traffic Monitoring with RRDTool
Monitoring network traffic with iptraf and rrdtool
Monitorix Project by Jordi Sanfeliu
RRDtool with pfctl and spamd
Setting up traffic monitoring using rrdtool (and snmp)
Using SNMP and RRD to monitor your LEAF system

Alternatives

Alternatives to rrdtool?
Java RRD library
rrd4j, RRD4J 3.1 (released 2017-01-01)