Archive for the ‘Learning’ Category
In previous post on IP Header Analysis, we know that we can analyze the datagram more throughly by using the hexadecimal dump option. And now, we are going to look on how we can convert hexadecimal to decimal BY HAND.
Let’s take the same example in previous post… Source IP Address : c0a8 0d14. What does it represent?
Based on the conversion table above, the calculation is as follow:
So now we know that the source IP address is 192.168.13.20. Correct?
Let’s compare with the standard WinDump output:
03:19:38.413592 IP 192.168.13.20 > 192.168.13.47: ICMP echo request, id 43, seq 40150, length 24
There are many automated converter out there which can really ease your job (this is the one I use most often). My intention of sharing this is just to let you know and understand the theory behind this hex-dec conversion. Enjoy!
Today we will look on how to analyze IP header using WinDump.
To do this, we will first need to utilize the hexadecimal dump option in WinDump.
windump -i 3 -x -n icmp=8 (use hexadecimal dump option -x)
03:19:38.413592 IP 192.168.13.20 > 192.168.13.47: ICMP echo request, id 43, seq 40150, length 24
0×0000: [4500 002c 0a7f 0000 ff01 15be c0a8 0d14
0x0010: c0a8 0d2f] 0800 22f4 002b 9cd6 e0c2 ee05
0×0020: 7cee db0f 383d d905 0000 0000 0000
We will focus on the first 20 bytes of the datagram (within the square bracket), which is the IP header.
Let’s get a simple illustartion from Wikipedia:
And now we can try to dissect the IP header as follow. I will only touch on few important fields.
*Version: 4 (so this is IPv4)
*Internet Header Length: 5 (number of 32-bit words, in this case, 5, which is 5 x 32 = 160 bits = 20 bytes)
Total Length: 002c
Fragment Offset: 00
Time to Live: ff
*Protocol: 01 (there is an ICMP message follows by this IP header)
Header checksum: 15be
*Source IP Address : c0a8 0d14
*Destination IP Address: c0a8 0d2f
For protocol field, 06 represents TCP & 11 represents UDP
4 bits = 1 nibble
8 bits = 1 byte
We should always remember that counting always begins with 0 in WinDump. For instance, what is the 9th byte offset represents? Yes, it is the protocol field. It will be quite useful sometime. Why?
Let’s say we want to dump all ICMP traffic. How? Use this command:
windump -i 3 -x -n ip=1
It will actually dump every datagrams with value of 9th byte offset equals to 1, which is the ICMP record.
Actually, the WinDump output had provide us all the information needed such as source/destination IP, protocol etc. However, it is good for us to know how to analyze the IP header as it may help us to uncover any kinds of tampering in the datagram.
Standard WinDump Output:
03:19:38.413592 IP 192.168.13.20 > 192.168.13.47: ICMP echo request
Main Reference: http://en.wikipedia.org/wiki/IPv4_header#Header
Interested in packet analysis? Don’t know how to start? Try this out – WinDump.
Some will ask, why WinDump? Don’t we have some more powerful tools such as Wireshark?
For me, if you want to have a strong foundation on packet analysis, I will suggest you to start with WinDump.
Unlike Wireshark which give you everything, WinDump motivates you to think!
WinDump will read all the traffic passing on the network and print it in a standard format.
Just like some others tools, it involved lots of function (come with different commands). I will only show a few here.
If you wish to learn more, go here for the lengthy manual. =)
Some command which you need to know for you to start:
windump –D [view all network adapters]
windump –i 3 host 192.168.13.47 [capture traffic with IP 192.168.13.47 with the 3rd adapter]
I will focus more on the WinDump output, which help you to know how to read the WinDump output.
21:07:06.286902 IP 192.168.13.31.2583 > 192.168.13.37.3389: S 1274736368:1274736368(0) win 65535
From left to right:
(1) Timestamp: HH:MM:SS
(2) Source Host: Source Port
(3) Destination Host: Destination Port
The rest of the output is different depended on the protocol involved. In this case, the output involved TCP as the transport protocol.
To understand this, you will need some basic knowledge on TCP. What are the characteristics of TCP?
Yes, it contained TCP flags.
The S represented SYN, which means 192.168.13.31 is requesting to initiate a TCP session with 192.168.13.37.
Some others flags are:
PSH – Send data
RST –Abort a connection
FIN – Terminate a connection
Anything else? Yes, there is a TCP sequence number, which aim to guarantee the reliability of packet delivery by tracking the sequence number. In this case, what we see is the Initial Sequence Number (ISN) as it is an initial connection. What is the zero in parentheses means? It means this connection sends no data bytes, which is a characteristic of a SYN connection.
Last but not least, we have window size. What is window size? In simple words, it indicates that 192.168.13.31 is informing 192.168.13.37 how large is the incoming TCP buffer size. (in this case, it is 65535 bytes)
Oh ya, you can download Windump here. Don’t forget the WinPcap as well. Enjoy!
Give you one million to go into a shit mud and clean it up? Will you do it?
What will first come across your mind?
One Million vs. Shit?
What should I choose?
No ideas? Keep on thinking……………………..
And he said: “I will do it…“
I will take the one million and hire some others to do it…
Pay him $100,000 and I still have $900,000 go into my pocket.
Why we see only two options?
See, we used to panic when we focus on the outcomes too much, until we forgot what is the exact process which we need to go through to achieve our goals.
Are we doing the same mistakes? Think about it.
~A lecture with Raja Baharuddin Anom~
Source of Image: http://fr.toonpool.com/cartoons/Who%20cean%20this%20shit_13352 (Rompozzo)
All this time I used to perform troubleshooting from my office PC using Telnet. The PC is running on Windows XP and I found no problems with Telnet. However, when I try to perform Telnet from my personal laptop, which running on Windows 7, I got this error: “‘telnet’ is nor recognized as an internal or external command, operable program or batch file.“
Weird, how come like this? Google around and finally got the solution. Windows 7 disabled Telnet by default. We need to change the setting here. Go to Control Panel > Programs. Under Programs and Features, click on Turn Windows features on or off and search for Telnet Client. Check the box and you are done. Based on what I know, it is applicable on Windows Vista too.
Problem solved and now is the time to sleep. Good night.
Want to share with you guys the power of Twitter search and how it can be used criminal to commit crime. Mmm… Assume I am the criminal and I am not even a Twitter member. I am too desperate but just to commit crime. I have no specific target but just to kidnap someone. I am thinking about where I can start and who can be my target. Here I go… Type “off to” and these are the results I got. Good, scroll up and down then pick an easy target!
As you can see, some are even worse. They straight ways mentioned: “Off to xxx myself”. It totally revealed that you are going to do something alone. If you are a criminal, who you will pick? Guys, I am not teaching you how to gather information and kidnap people. But, I am trying to let you know that: “Please do not expose everything about yourself to others!” It is too dangerous.
You can avoid this to happen by changing settings in Twitter. Go to Settings, under Account tab, check the Twitter Privacy – Protect my tweets and click he Save button. See, how easy it is. What are you waiting for? Act now!
What does a NIC look like? Is it a stupid question? It depends. If you are an IT professional who responsible on fixing PC and laptops in your IT department, I will say – maybe it is a stupid question for you. But for others, maybe it is not.
Recap on my previous post which mentioned that network card (in a more formal term we called it as NIC – network interface card) is a must to setup a network. Is there anyone who rise up a question – what does a network card look like when they read through this post?
It happened to most of our university students today. They focused on theory but they ended up with nothing when they finished their three to four years of study in university. The reason is, first, they do not like to ask and second, they do not like to explore on their own.
I am now in my final semester and I would like to admit that I just know what does a NIC look like last few day when the IT administrator in my company try to fix a NIC into one of the PC.
Thus, I would like to share what I saw here. Maybe it sounds silly for you, but at least, for me, it is not. I feel no shame to learn something new. This is what we called – the good attitude of learning. Well, at the same time I should also review what I had learnt in my four years time in university. There must be something wrong!
Reading is one of the most common methods for learning. Even now I have stepped into the industry, reading is still a major part in my life. The problem is – how we can make our reading effective?
Throughout my time in school and university, I found out that there are TWO approaches which we can do to make sure what we read can be stored in our brain effectively (longer than usual). First, explain to our friends what we have read and second, write down what we have read without referring to the book.
Thus, don’t be stingy in sharing our knowledge. For instance, when you have just studied a new chapter on what your lecturer taught, and at the same time your friend failed to catch up, try to explain to him/her what you have revised. If you managed to explain and he/she understand your explanation, it means you have now mastered the new chapter. If you failed, you will need to read through the chapter again. (most of the time you will know which part you are missing)
Same goes to the second approach – write down what you have read. Let say you have learnt a new theory and you want to test yourself whether you fully understood the theory. Close the book and start to write down the new theory (along with all the deep explanation). If you fail to do so, it means that you are still far away from mastering the new theory. If you managed to re-write what is in the book, I would like to say: Congratulation. Now you can put what you wrote on your personal blog, so that you can share your knowledge with others.
See, learning process is always great, especially when you shared with people what you have learnt. Don’t simple read and assume that you are already master what you have read, it never works. Remember – read, write and share.
Continue with the academic talk from Dr. Shahid Khabir. Besides the Success and Failure rule, he also shared with us his knowledge on research. At the end of the talk, a lecture raised up a question: “How to start a research?”. Yes, many people will have this question in their mind. How I am going to start? Actually, Dr. Shahid had answered it in his presentation. He came out with the Hourglass Model which we can follow in doing research.
First of all, we need to know what lead to our research. There must be some questions to answer and some problems to solve. For instance, we realized that knowledge is one of the most valuable intangible assets for individual and organization. Thus, we need to know how to utilize and preserve the knowledge. This is what we call knowledge management. There are many kinds of existing models of knowledge management. The questions are: Which are the most suitable? Are we going to implement an existing model? Or we are going to create a new model?
Yet, these questions are too general. We need to narrow down these problems to a specific area. For example, where we are going to implement the knowledge management and what kind of knowledge will be involved. Let’s say we are going to develop a model of knowledge management for a multimedia production house. Now we have a specific aspect: multimedia knowledge.
After we got a specific area of research, we can now start to gather and analyze data. But, before we start, we need to come out with the design of our research – the research methodology. The process of gathering and analyzing data must be based on the methodology we fixed. By using the data we analyzed, we will then create a model of multimedia knowledge management. The model is the final product of this research. It will then be implemented in the real world – a multimedia production house.
From a global view, we narrow down our mind to a specific aspect. Then, we focus on that area and work on it. Finally, we come out with our new ideas (maybe a model, an algorithm) which are useful and have impact on the global society. It’s what we called Hourglass Model.
Are you ready to start your research?
Fail to sleep tonight, looking at a list of subjects which I have took in these 3 years time in my university life, and I found out a few “killer” subjects:
(1) Design Engineering and Software Testing (My Grade: C+)
(2) Network Security (My Grade: B+)
(3) Computer Organization and Architecture (My Grade: A-)
(4) Programming Paradigm (My Grade: A-)
(5) Database (My Grade: A-)
(6) Software Requirement Engineering (My Grade: A-)
(7) Software Project Management (My Grade: A-)
Most of us use to blame others when we got a bad grade for certain subjects. I am also the one who will do that. But when I review deeply then I realized that the factor which caused me to get a bad grade is ME. I do not pass up the assignment for Network Security. I pass up the assignment for Design Engineering and Software Testing but it is not on time. I am too relying on my COA’s lecture and just depend on her to give me every single tip.
At the same time, I have no regret when I get A- for Database, Software Requirement Engineering, Programming Paradigm and Software Project Management. Indeed, I learnt a lot from all the class. Some more the grade I got reflects my real ability.
There are always some reasons behind a failure. Don’t always point our fingers to others when we fail. We need to look into our own and see what we had done which lead us to failure.
At the same time, there are no perfect things in this world. Sometime we had tried our best but still, we got a “so so” grade. Don’t fade up, because we know we had tried our best. Remember, every grade means something to us:
A=Good, for sure; B=Bagus, C=Cemerlang, D=Distinction, E=Excellence, F? I have no idea and that’s why I feel “proud” when I got my first C+! :p