In an earlier post, I covered some basic and a few advanced techniques that can be done with tcpdump and bpf. Today I would like to expand upon those ideas just a little more.

Recently I was tasked with examining some traffic captures, looking for some specific UDP traffic. In this case, UDP traffic with a source port greater than or equal to 1024 and a destination port equal to 80. So how did I achieve this task with tcpdump?

tcpdump -n(r or i) <pcap.file or interface> ‘(udp[0:2] >= 1024 and udp[2:2]=80)’ -s0

So what does all that really mean? It’s actually pretty simple. The four most useful bpf statments to remember in regards to udp traffic are as follows:

udp[0:2] = source port
udp[2:2] = destination port
udp[4:2] = datagram length
udp[6:2] = UDP checksum

So in this example, I am simply asking tcpdump to show me udp traffic with a source port greater than or equal to 1024 and a destination port equal to port 80 and set the snaplen to 0 (show the entire packet contents).

This concludes another look into the endless possibilities that can be achieved with tcpdump and a good knowledge of berkly packet filters. Have fun with this, and nerd it up.

Just a real quick tip today, while I get back into the swing of things, post-moving.

A friend of mine showed me a very useful utility called mergecap, which is included with the wireshark package (formally known as Ethereal). This is one of those “so simple it hurts” tools, that I wish I had known about years ago. So what is so special about mergecap? Well if you’ve ever had to deal with multiple capture files, you know what a pain it can be to search through them all. This is where mergecap comes in handy.

There are a few options discussed in the man page, but in it’s simplest form, from the command line:

mergecap *.pcap -w /path/to/output/dir/name.pcap

Now, you simply wait a few seconds and you will have a properly merged pcap file. I tested this method on a few pcap files gigabytes in size and mergecap only took about 10 seconds to do its job.

If you are like me, and do not have X or a monitor installed on your sniffing box, I suggest installing tethereal, which is the command line only version of the wireshark package. Mergecap is included in the wireshark-common portion of the required packages.

Enjoy this short little tip and as always have fun nerding it up.

Removal of particle board – COMPLETE
Removal of all nails and old under layment – COMPLETE
Removal of appliances – COMPLETE

Installation of base boards – COMPLETE
Installation of chair rail – COMPLETE
Paint all bedrooms and hallway – COMPLETE

Install crown molding – PENDING
Paint all wood paneling – PENDING
Paint kitchen cabinets – PENDING
Tile bathrooms and laundry room – PENDING

So much work has been done to the house, I am literally amazed Karen and I were able to do it. We did recruit some of karen’s friends to help with painting, and I recruited a friend to help move some heavy stuff. So we didn’t do it all by ourselves, but most of the work did fall on us to do. I think now, even though not complete, karen and I have something we can truly feel proud of. We put our all into this house, and now the floors are being installed, we can really see what all we did and how really great it looks.

The wood seems a little dark in this image, it’s actually much lighter .. but still looks great either way. I have added tons of more images to the gallery if you care to view them, there are a few shots where you can see what the wood color actually is. The installers have been doing a kick ass job, and told me today that they should be done by saturday. So we should we moved in, within the next two weeks I hope.

Now that the house is as done as it can be, it’s time to make plans for moving. I have aquired the bare necessities in preparation for our move; by that I mean Direct TV HD and 6MB ADSL. This weekend a few friends are coming by for free beer and to help us pack, fun times ahead. This time around though, you will not see me lugging boxes all day. I am going to hire some movers to do it for me. I’ve met my hard work quota for the year.

thats it in a nutshell.

Just a quick update .. in case you have not heard, the bleeding edge community site (bleedingthreats.net) is no longer in service. However a new site/group has emerged to take it’s place. For all your bleeding edge snort rules, you will need to update your bookmarks and oinkmaster.conf for the new site, which is http://emergingthreats.net.

Work is progressing very well since my last post. I have added a ton more photos to the gallery album, though I doubt they are of really that much interest. My mom informed me today that she will drop off the garage door opener tomorrow, meaning the house is 100% officially ours. I don’t know why something like a garage door opener is all that significant, but it gives me a warm feeling all over knowing the house has become a home.

I am still “swinging the hammer” as I call it, and now I am over half-way done breaking up the particle board and removing carpet. I have one small bedroom, our office and the kitchen left to do. Karen has been working her ass off as well sorting through things, getting the kitchen arranged how she wants and making a list for painting supplies. All in all things are on schedule, I refuse to say ahead of schedule, because I don’t want to jinx things, but I think we are doing very well for our first try.

Karen created an animated gif of me getting my swing on, continue on if you dare .. trust me, it’s super lol.

So where have I been? Working on my house. After my father died back in February, my mother decided she no longer wanted the responsibility of maintaining a house. She passed the torch on to myself and my wife karen. At first that seemed like a really super awesome thing, but after a week of back breaking work, rental life isn’t seeming as bad any more. However, work is progressing on schedule and I am starting to be able to see how things are going to turn out when completed.

First we started with cleaning/sorting/moving out all the stuff that mother did not want or could not take with her to her new apartment. I thought sorting through 30 years of stuff was bad, I was dead wrong. In comparison that has been the easiest thing I’ve had to do as of yet.

After all the cleaning and sorting, I had to remove three built in cabinets and all the carpeting in the house. I thought this was going to be a real pain the ass, but it really wasn’t that bad. The carpet had been there since it was laid down in 1977, so it was dirty as hell, but it tore into manageable sections and wasn’t so hard to remove.

The current ongoing project is removing the particle board that resides under the carpet and above the subfloor. This my friends has been a hellacious project, I’ve created a simple formula for calculating this project: 21″ prybar + 5lb sledge hammer + 2200 square feet of particle board = one tired ass tre. On the upside though, the materials for our new floors will be delivered this wednesday! I am far from being ready for them to be installed, and thankfully the installers won’t begin work until January 7th.

I created a gallery for pictures of the progress: http://trepullins.net/v/house/renovation if you would like to see karen and I doing *real* work … get your click on.