how to capture openflow packets using tshark - tshark

I have a system with arch linux running OVS. I also have a controller running in the same box. I have the following setup:-
ovs-vsctl set-controller br-int tcp:192.168.1.201:6633
I was hoping to use tshark( tshark 2.2.8) to capture the openflow using the following command:-
sudo tshark -i br-int -d tcp.port==6633,openflow -O openflow_v4
it dumps all the all the flows that is flowing in the system but no packetIn openflow messages. I did confirm packetIn message was received by the controller. ( pasting the last few lines:-)
EVENT ofp_event->EventOFPPacketIn
packet in 1237689849893337 b8:27:xx:xx:yy:yy:zz ff:ff:ff:ff:ff:ff:3
I also understand from the tshark document that by default it uses the port 6653 for openflow.
tshark -G decodes | grep -i openflow
tcp.port 6653 openflow
However I was in the impression that I can still look for openflow traffic by using the following capture command:-
https://wiki.wireshark.org/OpenFlow
tshark tcp port 6633
This also doesn't work as no events are captured though I can see the controller receiving lots of events..
would greatly appreciate any help here.

My guess would be that you're not listening on the correct interface. Try the following:
sudo tshark -i any -d tcp.port==6633,openflow -O openflow_v4
If that doesn't work, it's possible your controller and switch are not communicating using OpenFlow 1.3. To make sure you see everything, try:
sudo tshark -i any -d tcp.port==6633
Details. Unless there's something particular in your setup, packets from Open vSwitch to the controller and back do not go through the bridge. Since both ends of the communication are on the same host, packets are probably going through the loopback interface:
sudo tshark -i lo -d tcp.port==6633
I was able to reproduce your setup and issue to confirm my answer with Open vSwitch 2.5.2 and Floodlight (master branch). I can see packets passing through on the loopback interface with both tcpdump and tshark.

Related

Using IPMI tool from Romulus

How to run IPMI tool from the openBMC romulus image. I was successful in running the Hello World program as per the tutorials. I want to run IPMI tool command from the romulus to the BMC of another server. Is there is any method of doing this? As ipmitool command is not included. Is there any way of including it in the romulus Image.
ipmitool is really meant to be used outside of the BMC to control it. So in most use cases you install the ipmitool package on your computer (sudo apt install ipmitool), and then use it to talk to the server.
i.e.:
ipmitool -I lanplus -U root -H <server> -P <password> chassis power status
If you're using QEMU, then I believe you need to hostfwd port 623 for this to work. I personally have not gotten ipmitool to talk to a QEMU session before though.
If you really want ipmitool in your BMC image, then you could add it as a RDEPENDS to the packagegroup file similar to what facebook does in https://github.com/openbmc/meta-facebook/blob/master/meta-tiogapass/recipes-fbtp/packagegroups/packagegroup-fb-apps.bb
Romulus does not have ipmitool in it OpenBMC firmware image, as do some other OpenBMC platforms; not all platforms have the SPI FLASH space supply many utilites. You can use ipmitool from a remote machine to a Romulus like below.
ipmitool -I lanplus -C 17 -p 623 -U root -H <server> -P <password> bmc info
or
ipmitool -I lanplus -C 17 -p 623 -U root -H <server> -P <password> raw 0x06 0x01
I chose to use -C 17 for cipher suite 17 as ipmitool defaults to cipher suite 3 and modern platforms have deprecated cipher suite 3 for security reasons.
Cipher suites 3 and 17 were last 2 suites that had any security strength, and 17 is the stronger (do not read that as strong) and now suite 3 is considered weak.
and here are the ipmitool commands:
usage: ipmitool [options...] <command>
-h This help
-V Show version information
-v Verbose (can use multiple times)
-c Display output in comma separated format
-d N Specify a /dev/ipmiN device to use (default=0)
-I intf Interface to use
-H hostname Remote host name for LAN interface
-p port Remote RMCP port [default=623]
-U username Remote session username
-f file Read remote session password from file
-z size Change Size of Communication Channel (OEM)
-S sdr Use local file for remote SDR cache
-D tty:b[:s] Specify the serial device, baud rate to use
and, optionally, specify that interface is the system one
-4 Use only IPv4
-6 Use only IPv6
-a Prompt for remote password
-Y Prompt for the Kg key for IPMIv2 authentication
-e char Set SOL escape character
-C ciphersuite Cipher suite to be used by lanplus interface
-k key Use Kg key for IPMIv2 authentication
-y hex_key Use hexadecimal-encoded Kg key for IPMIv2 authentication
-L level Remote session privilege level [default=ADMINISTRATOR]
Append a '+' to use name/privilege lookup in RAKP1
-A authtype Force use of auth type NONE, PASSWORD, MD2, MD5 or OEM
-P password Remote session password
-E Read password from IPMI_PASSWORD environment variable
-K Read kgkey from IPMI_KGKEY environment variable
-m address Set local IPMB address
-b channel Set destination channel for bridged request
-t address Bridge request to remote target address
-B channel Set transit channel for bridged request (dual bridge)
-T address Set transit address for bridge request (dual bridge)
-l lun Set destination lun for raw commands
-o oemtype Setup for OEM (use 'list' to see available OEM types)
-O seloem Use file for OEM SEL event descriptions
-N seconds Specify timeout for lan [default=2] / lanplus [default=1] interface
-R retry Set the number of retries for lan/lanplus interface [default=4]
Interfaces:
open Linux OpenIPMI Interface [default]
lan IPMI v1.5 LAN Interface
lanplus IPMI v2.0 RMCP+ LAN Interface
serial-terminal Serial Interface, Terminal Mode
serial-basic Serial Interface, Basic Mode
Commands:
raw Send a RAW IPMI request and print response
i2c Send an I2C Master Write-Read command and print response
spd Print SPD info from remote I2C device
lan Configure LAN Channels
chassis Get chassis status and set power state
power Shortcut to chassis power commands
event Send pre-defined events to MC
mc Management Controller status and global enables
sdr Print Sensor Data Repository entries and readings
sensor Print detailed sensor information
fru Print built-in FRU and scan SDR for FRU locators
gendev Read/Write Device associated with Generic Device locators sdr
sel Print System Event Log (SEL)
pef Configure Platform Event Filtering (PEF)
sol Configure and connect IPMIv2.0 Serial-over-LAN
tsol Configure and connect with Tyan IPMIv1.5 Serial-over-LAN
isol Configure IPMIv1.5 Serial-over-LAN
user Configure Management Controller users
channel Configure Management Controller channels
session Print session information
dcmi Data Center Management Interface
nm Node Manager Interface
sunoem OEM Commands for Sun servers
kontronoem OEM Commands for Kontron devices
picmg Run a PICMG/ATCA extended cmd
fwum Update IPMC using Kontron OEM Firmware Update Manager
firewall Configure Firmware Firewall
delloem OEM Commands for Dell systems
shell Launch interactive IPMI shell
exec Run list of commands from file
set Set runtime variable for shell and exec
hpm Update HPM components using PICMG HPM.1 file
ekanalyzer run FRU-Ekeying analyzer using FRU files
ime Update Intel Manageability Engine Firmware
vita Run a VITA 46.11 extended cmd
lan6 Configure IPv6 LAN Channels

How to do netcat with gawk networking?

I'm on machine that have very old netcat version which don't support HTTP proxy option (-X). And i need to do netcat through HTTP proxy on this machine (to proxyfy ssh with proxy command).
I've tryed to send CONNECT <host>:<port> with the old netcat before passing the stdin/out to ssh but without success.
I've found that gawk as networking support according documentation and I've tried to make netcat working with it but without success.
How to send CONNECT command first, read the response of the proxy and go in read/write stdin/stdout in two way loop after?

Running Snort as Service

I am running snort on windows to sniff single interface. I wanted to sniff two interface with snort and I learned I have fire same command twice for different interface.
Now i want run it as service and i used this command`
c:\snort\bin\snort.exe /SERVICE /INSTALL -i 1 -l c:\snort\log -c c:\snort\etc\snort.conf
This will create a service for Snort .
So, how to run snort as service for multiple interface ?
Any help will be appreciated.
I'm not all that familiar with Snort on windows, but if you're able to do it, it should work similar to Linux. You would have to bridge the interfaces (windows 7 steps) and use the bridge with the -i. If you bridge your 2 interfaces and then run "snort -W" and see the bridge show up, you should just be able to use that to sniff on both interfaces. I have never tested this though, but in theory it should work.

Netcat: using nc -l port_number instead of nc -l -p port_number

This question is following this one: Sockets working in openSUSE do not work in Debian?
When working with sockets on my Debian system, I have to use nc -l -p port_number to simulate the server I want to talk with. If I'm using nc -l port_number, it will fail when using the socket connect function and strerror(errno) will say "Connection refused".
Netcat without -p option is working great on other Linux distributions, what should I change on my configuration?
Do not adjust your set. There are multiple implementations of netcat out there; not all of them behave the same.
In particular, the "traditional" version of netcat, which is probably what you have installed on your Debian system, will end up doing something totally unexpected if you omit the -p ("port") flag: it will end up treating the last argument as a hostname, pass it to inet_aton(), which will convert it to a nonsensical IP address (e.g, 1234 will become 0.0.4.210), and will then proceed to ignore that IP address and listen on a socket with an automatically assigned (probably random) port number.
This behavior is obviously silly, so some other implementations of netcat will assume you meant -p. The one you're using doesn't, though, so pass the -p option.
I agree with duskwuff that it is better to just use the -p option everywhere, but to answer your question:
The one thing you have to do is install a netcat that supports the syntax you want. I know the netcat-openbsd package supports it. I know the netcat-traditional package does not. There's also a netcat6 package, which also doesn't. You can then explicitly request the OpenBSD version of netcat like so:
nc.openbsd -l 4242
Optionally you may use the alternatives system to set this version of netcat to run when you issue the nc command:
update-alternatives --set nc /bin/nc.openbsd
This will be done automatically for you if this is the only netcat you've installed.
Finally, you may, again optionally, remove the netcat you don't like (netcat-traditional or netcat6).

Wireshark. How to route traffic from iPhone

I'm trying to capture packets from my iPhone app. It does not use HTTP to communicate, but a custom protocol to connect with my server. I can not use Paros to monitor the packets sent.
Is it possible to proxy the date through wireshark just like you can with Paros for http?
You can't proxy the data through Wireshark, per se; the problem is to have Wireshark running somewhere where it can see the traffic passing by. (If you had command line only, you could run tcpdump and capture packets, and then load the dump file into Wireshark somewhere else that had a UI.)
Are you on a Mac? If so, plug your mac into ethernet so that it has an internet connection (or connection to your server, anyway). Then share your Mac's internet connection over its wifi. Connect to this wifi point using your iPhone. Run Wireshark on the Mac (promiscuous mode enabled), then use your iPhone app and watch Wireshark. No need to mess around with servers or forwarding X11 connections! You could do something very similar with a Windows PC too.
The best solution that works:
Connect your device thru USB and type these commands:
rvictl -s UDID (UDID = id of device, 32 chars, you can locate it in iTunes or 'Devices & Simulators' in Xcode)
sudo launchctl list com.apple.rpmuxd
sudo tcpdump -n -t -i rvi0 -q tcp
OR just sudo tcpdump -i rvi0 -n
If rvictl is not working install Xcode (or see -bash : rvictl: command not found, Mac book pro OS X 10.7.5 & Xcode 4.6)
For more info:
Remote Virtual Interface
http://useyourloaf.com/blog/2012/02/07/remote-packet-capture-for-ios-devices.html
Run wireshark on the server - you'll see the traffic there.