BPF and VLAN

You've to be a bit careful with the vlan keyword as a BPF filter (when combining it with other filters), as it moves filters 4 bytes to the right, see here: http://www.christian-rossow.de/articles/tcpdump_filter_mixed_tagged_and_untagged_VLAN_traffic.php.

You could also use a filter of the ethernet header - this link describes the solution and potential issues perfectly: http://serverfault.com/questions/196250/tcpdump-capture-one-of-several-vlans.

The BSD Packet Filter: A New Architecture for User-level Packet Capture

http://www.tcpdump.org/papers/bpf-usenix93.pdf

Sniff Your own Networks with Tcpdump

http://www.safepatrolsolutions.com/papers/Tcpdump.pdf

arping utility in Linux

The arping utility is part of the iputils-arping package in Debian like systems.

It is very useful for finding out if an IP number is already taken in a local network.

The syntax should be:

~$ arping -D -I eth0 -c 3 172.17.12.228
ARPING 172.17.12.228 from 0.0.0.0 eth0
Sent 3 probes (3 broadcast(s))
Received 0 response(s)

No IP in this case.

~$ arping -D -I eth0 -c 3 172.17.12.222

ARPING 172.17.12.222 from 0.0.0.0 eth0

Unicast reply from 172.17.12.222 [00:21:70:6A:EA:48]  0.754ms

Sent 1 probes (1 broadcast(s))

Received 1 response(s)

One IP found.

-D Duplicate  address  detection  mode  (DAD).  See RFC2131, 4.4.1. Returns 0, if DAD succeeded i.e. no replies are received.

Sniffing Tutorial part 2 - Dumping Network Traffic to Disk - NETRESEC Blog

http://www.netresec.com/?page=Blog&month=2011-03&post=Sniffing-Tutorial-part-2---Dumping-Network-Traffic-to-Disk

Guide to IP Layer Network Administration with Linux

http://linux-ip.net/html/

Network interfaces in Fedora 14

http://docs.fedoraproject.org/en-US/Fedora/14/html/Deployment_Guide/ch-Network_Interfaces.html

IP Command Reference

http://linux-ip.net/gl/ip-cref/

Configuring static network routes in Fedora 14

http://docs.fedoraproject.org/en-US/Fedora/14/html/Deployment_Guide/s1-networkscripts-static-routes.html

How to tell what process has a specific port open on Linux?

netstat -lnp --inet inet -4 -6

lsof -i :123

Ubuntu's non persistent network configuration

sudo ip addr add 192.168.1.14/24 dev eth0

sudo ip link set dev eth0 up

sudo ip route add default via 192.168.1.1

Or

ifconfig eth0 192.168.1.14 netmask 255.255.255.0

route add default gw 192.168.1.1 eth0

Wireshark tools

capinfos eth2_20120131_224001.pcap


editcap -i 120 eth2_20120131_224001.pcap eth2.pcap


editcap -A "2012-01-31 17:44:00" -B "2012-01-31 17:48:00" eth2_20120131_224001.pcap eth2_20120131.pcap

dladm and ndd in Solaris 10

show-dev is a dladm subcommand which lists only physical NICs along with their physical link state.

bash-3.00# dladm show-dev
e1000g0         link: up        speed: 1000  Mbps       duplex: full
e1000g1         link: up        speed: 1000  Mbps       duplex: full
e1000g2         link: up        speed: 1000  Mbps       duplex: full
e1000g3         link: up        speed: 1000  Mbps       duplex: full

ndd - get and set driver configuration parameters

To see which parameters are supported by the e1000g driver, use the following command:

# ndd /dev/e1000g2 \?

To set the full 1GB full-duplex negotiation:

ndd -set /dev/e1000g2 adv_1000fdx_cap 1

Delete route in Fedora

route del -net 172.16.9.0 netmask 255.255.255.0 eth3

Duplicate Address Detection with arping

arping -D -c 1 -I eth0 192.168.0.1

http://linux-ip.net/html/tools-arping.html

Windows Network Tips

ipconfig /all

ping

tracert

pathping

netstat

nslookup

netsh

netsh diag gui

netsh interface ip show joins

systeminfo

net statistics workstation

uptime

hh ntcmds.chm

tcpdump in OpenSolaris

tcpdump -s 0 -w file.pcap -i e1000g0 port 10689