Malicious software will often attempt to replace core system files with modified versions in an effort to take control of the system. The System File Checker can be used to verify the integrity of the Windows system files. If any of the files are found to be missing or corrupt, they will be replaced. You can run the System File Checker by using this command:

sfc /scannow
2: File Signature Verification

One way to verify the integrity of a system is to make sure that all the system files are digitally signed. You can accomplish this with the File Signature Verification tool. This tool is launched from the command line but uses a GUI interface. It will tell you which system files are signed and which aren’t. As a rule, all the system files should be digitally signed, although some hardware vendors don’t sign driver files. The command used to launch the File Signature Verification tool is:

sigverif
3: Driverquery

Incorrect device drivers can lead to any number of system problems. If you want to see which drivers are installed on a Windows 7 system, you can do so by running the driverquery tool. This simple command-line tool provides information about each driver that is being used. The command is:

driverquery
If you need a bit more information, you can append the -v switch. Another option is to append the -si switch, which causes the tool to display signature information for the drivers. Here’s how they look:

driverquery -v
driverquery -si
4: Nslookup

The nslookup tool can help you to verify that DNS name resolution is working correctly. When you run nslookup against a host name, the tool will show you how the name was resolved, as well as which DNS server was used during the lookup. This tool can be extremely helpful when troubleshooting problems related to legacy DNS records that still exist but that are no longer correct.

To use this tool, just enter the nslookup command, followed by the name of the host you want to resolve. For example:

nslookup dc1.contoso.com
5: Ping

Ping is probably the simplest of all diagnostic commands. It’s used to verify basic TCP/IP connectivity to a network host. To use it, simply enter the command, followed by the name or IP address of the host you want to test. For example:

ping 192.168.1.1
Keep in mind that this command will work only if Internet Control Message Protocol (ICMP) traffic is allowed to pass between the two machines. If at any point a firewall is blocking ICMP traffic, the ping will fail.

6: Pathping

Ping does a good job of telling you whether two machines can communicate with one another over TCP/IP, but if a ping does fail, you won’t receive any information regarding the nature of the failure. This is where the pathping utility comes in.

Pathping is designed for environments in which one or more routers exist between hosts. It sends a series of packets to each router that’s in the path to the destination host in an effort to determine whether the router is performing slowly or dropping packets. At its simplest, the syntax for pathping is identical to that of the ping command (although there are some optional switches you can use). The command looks like this:

pathping 192.168.1.1
7: Ipconfig

The ipconfig command is used to view or modify a computer’s IP addresses. For example, if you wanted to view a Windows 7 system’s full IP configuration, you could use the following command:

ipconfig /all
Assuming that the system has acquired its IP address from a DHCP server, you can use the ipconfig command to release and then renew the IP address. Doing so involves using the following commands:

ipconfig /release
ipconfig /renew
Another handy thing you can do with ipconfig is flush the DNS resolver cache. This can be helpful when a system is resolving DNS addresses incorrectly. You can flush the DNS cache by using this command:

ipconfig /flushdns
8: Repair-bde

If a drive that is encrypted with BitLocker has problems, you can sometimes recover the data using a utility called repair-bde. To use this command, you will need a destination drive to which the recovered data can be written, as well as your BitLocker recovery key or recovery password. The basic syntax for this command is:

repair-bde -rk | rp
You must specify the source drive, the destination drive, and either the rk (recovery key) or the rp (recovery password) switch, along with the path to the recovery key or the recovery password. Here are two examples of how to use this utility:

repair-bde c: d: -rk e:\recovery.bek
repair-bde c: d: -rp 111111-111111-111111-111111-111111-111111
9: Tasklist

The tasklist command is designed to provide information about the tasks that are running on a Windows 7 system. At its most basic, you can enter the following command:

tasklist
The tasklist command has numerous optional switches, but there are a couple I want to mention. One is the -m switch, which causes tasklist to display all the DLL modules associated with a task. The other is the -svc switch, which lists the services that support each task. Here’s how they look:

tasklist -m
tasklist -svc
10: Taskkill

The taskkill command terminates a task, either by name (which is referred to as the image name) or by process ID. The syntax for this command is simple. You must follow the taskkill command with -pid (process ID) or -im (image name) and the name or process ID of the task that you want to terminate. Here are two examples of how this command works:

taskkill -pid 4104
taskkill -im iexplore.exe


check table TABLE_NAME;
Repair table TABLE_NAME;


Included on most Linuxes. This is a simple way to set up and use separate parameter files or even a good way of accomplishing INCLUDE’s in your configs. Example of usage is provided by Iñaki Baz Castillo;

I strongly recommend you to use M4 to compile your opensips.cfg file:

file /etc/opensips/opensips.cfg.m4:
———————————————
debug=3
log_stderror=no
log_facility=LOG_LOCAL7
fork=yes
…
listen=MY_IP:MY_PORT
…
rewritehost(“MEDIA_SERVER_IP:MEDIA_SERVER_PORT”);
…
———————————————

file /etc/opensips/defines.m4 (at your home):
———————————————
divert(-1)
define(`MY_IP’, `192.168.10.23′)
define(`MY_PORT’, `5060′)
define(`MEDIA_SERVER_IP’, `192.168.10.23′)
define(`MEDIA_SERVER_PORT’, `5065′)
divert(0)dnl
———————————————

file /etc/opensips/defines.m4 (at your office):
———————————————
divert(-1)
define(`MY_IP’, `123.123.123.123′)
define(`MY_PORT’, `5060′)
define(`MEDIA_SERVER_IP’, `22.22.22.22′)
define(`MEDIA_SERVER_PORT’, `5065′)
divert(0)dnl
———————————————

Create a bash script:
/usr/local/bin/op-restart.sh:
———————————————-
#!/bin/bash
DIR=”/etc/opensips”
m4 $DIR/defines.m4 $DIR/opensips.cfg.m4 > $DIR/opensips.cfg
/etc/init.d/opensips restart
———————————————-

So you just must change the /etc/opensips/opensips.cfg.m4 file and the
defines.m4 (this last file will be different depending on your location).

2. ngrep

### capture all SIP packages on 5060 on all interfaces
ngrep -W byline -td any . port 5060

### capture all SIP packages containing ‘username’ on port 5060 on all interfaces
ngrep -W byline -tqd any username port 5060

3. SIPp
4. tshark

### Filter on RTCP packets reporting any packet loss or jitter over 30ms:
tshark -i eth0 -o “rtcp.heuristic_rtcp: TRUE” -R ‘rtcp.ssrc.fraction >= 1 or rtcp.ssrc.jitter >= 30′ -V

### View a remote realtime capture with a local wireshark:
wireshark -k -i <(ssh -l root 192.168.10.98 tshark -w – not tcp port 22)

5. sipviewer
6. sipana
7. pcapsipdump

pcapsipdump is libpcap-based SIP sniffer with per-call sorting capabilities. It writes SIP/RTP sessions to disk in a same format, as “tcpdump -w”, but one file per SIP session (even if there is thousands of concurrent SIP sessions).

WEB page http://pcapsipdump.sourceforge.net/
8. sipscenario
9. the “siptrace” table

Don’t forget the sip_trace() command (in module http://www.opensips.org/html/docs/modules/1.4.x/siptrace.html )

(Maybe some clever usage for something other than just plain searching it (like an integration with sipscenario))
10. sipinspector

http://sites.google.com/site/sipinspectorsite/

11. Resync/reboot Linksys phones

PhPSIP UA for sending a NOTIFY to resync/reboot Linksys phone. The tool can authenticate (SIP digest) against the Linksys phone.

http://code.google.com/p/php-sip/

12. Nagios memory check plugin

http://level7systems.co.uk/en/blog/OpenSIPs+memory+check+in+Nagios

Most of the High Availability features of Oracle require you to enable ARCHIVELOG mode for your database. When you enable this mode redo logs will be archived instead of overwritten. The archivelogs are stored in a seperate place usually can backed up regularly by your standard filesystem backup system (NetBackup or whatever). Archive logs are utilized by RMAN, Data Guard, Flashback and many others.

If your going to enable archivelog mode on a real database thats important to you, I would recommend shutting down the database and doing a cold backup just in case. Keeping a “final noarchivelog mode backup” seems to be a good and excepted practice.

Enabling archive mode is simple, just connect to your database in mounted but closed mode (startup mount) and alter the database. But if you don’t tune alittle you’ll run into problems down the road, so lets specify some parameters too. Namely, consider LOG_ARCHIVE_DEST.

Lets start by checking the current archive mode.

SQL> SELECT LOG_MODE FROM SYS.V$DATABASE;

LOG_MODE
————
NOARCHIVELOG

So we’re in NOARCHIVELOG mode and we need to change. We can use a database alter statement, but that won’t be perminant, so lets just update the pfile directly. The pfile should be in either $ORACLE_BASE/admin/SID/pfile or $ORACLE_HOME/admin/SID/pfile. I’ll add the following lines to the end of the file:

############################
# Archive Log Destinations -benr(10/15/04)
############################
log_archive_dest_1=’location=/u02/oradata/cuddle/archive’
log_archive_start=TRUE

Note that we’re not actually required to specify the location of the log destination, but if you don’t it’ll end up in strange places (in my test it went to $ORACLE_HOME/dbs making a mess). You can specify as many as 10 diffrent archive log destinations by using the paramters log_archive_dest_1 through log_archive_dest_10. Remember, if you run out of space in your archive log destination the database will shut down!

Now we can startup the database in mount mode and put it in archivelog mode.

[oracle@vixen pfile]$sqlplus sys/passwd as sysdba;
SQL*Plus: Release 10.1.0.2.0 – Production on Fri Oct 15 16:00:58 2004
Copyright (c) 1982, 2004, Oracle. All rights reserved.
Connected to an idle instance.

SQL> startup mount
ORACLE instance started.

Total System Global Area 184549376 bytes
Fixed Size 1300928 bytes
Variable Size 157820480 bytes
Database Buffers 25165824 bytes
Redo Buffers 262144 bytes
Database mounted.

SQL> alter database archivelog;
Database altered.

SQL> alter database open;
Database altered.

You can see here that we put the database in ARCHIVELOG mode by using the SQL statement “alter database archivelog”, but Oracle won’t let us do this unless the instance is mounted but not open. To make the change we shutdown the instance, and then startup the instance again but this time with the “mount” option which will mount the instance but not open it. Then we can enable ARCHIVELOG mode and open the database fully with the “alter database open” statement.

There are several system views that can provide us with information reguarding archives, such as:

V$DATABASE
Identifies whether the database is in ARCHIVELOG or NOARCHIVELOG mode and whether MANUAL (archiving mode) has been specified.
V$ARCHIVED_LOG
Displays historical archived log information from the control file. If you use a recovery catalog, the RC_ARCHIVED_LOG view contains similar information.
V$ARCHIVE_DEST
Describes the current instance, all archive destinations, and the current value, mode, and status of these destinations.
V$ARCHIVE_PROCESSES
Displays information about the state of the various archive processes for an instance.
V$BACKUP_REDOLOG
Contains information about any backups of archived logs. If you use a recovery catalog, the RC_BACKUP_REDOLOG contains similar information.
V$LOG
Displays all redo log groups for the database and indicates which need to be archived.
V$LOG_HISTORY
Contains log history information such as which logs have been archived and the SCN range for each archived log.

Using these tables we can verify that we are infact in ARCHIVELOG mode:

SQL> select log_mode from v$database;

LOG_MODE
————
ARCHIVELOG

SQL> select DEST_NAME,STATUS,DESTINATION from V$ARCHIVE_DEST;

I found below steps which helped to up the system in 10 min.

1- use oracle $ORACLE_HOME/bin tools to flush the mem


Error Message : ORA-01075: you are currently logged on
Solution : Clean up the shared memory occupied by ora by executing below commands.
ipcs -s | grep ora
This will list the semaphores occupied by orasid, use the semaphore id to clear up the memory.
ipcrm -s
ipcrm -m



oracle@db# export ORACLE_SID=oradb
oracle@db# cd /u01/app/oracle/product/10.2.0/bin/
oracle@db# /u01/app/oracle/product/10.2.0/bin> sysresv

IPC Resources for ORACLE_SID "oradb" :
Shared Memory
ID KEY
No shared memory segments used
Semaphores:
ID KEY
No semaphore resources used
Oracle Instance not alive for sid "oradb"
oracle@server /u01/app/oracle/product/10.2.0/bin> cd
oracle@server ~> ps -ef | grep oradb
oracle 3326 23776 0 14:12:05 pts/1 0:00 grep oradb


Instated of

alter system flush shared_pool;

because you can not log to sqlplus / as sysdba

ORA-01075: you are currently logged on

2- When you going to startup it will show you that

ORA-00845: MEMORY_TARGET not supported on this system

his error comes up because you tried to use the Automatic Memory Management (AMM) feature of Oracle 11g R2. Well done, but it seems that your shared memory filesystem (shmfs) is not big enough. So let’s look at the steps necessary to enlarge your shared memory filesystem to avoid the error above.

First of all, login as root and have a look at the filesystem:

[root@db]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_oracleem-lv_root
93G 19G 69G 22% /
tmpfs 5.9G 112K 5.9G 1% /dev/shm
/dev/sda1 485M 99M 362M 22% /boot

So we can see that tmpfs has a size of 6GB. We can change the size of that filesystem by issuing the following command:

[root@db oracle]# mount -t tmpfs shmfs -o size=8g /dev/shm

This command (re)mounts the shmfs filesystem (check this post for more information about shmfs) with the option “size=8g“.

3- SQL> startup

4- try to upgrade and raise

check the shared pool size
select name,value from v$parameter where name='shared_pool_size'

Change it
ALTER SYSTEM SET shared_pool_size=8G scope=both

but you need to restart db
shutdown immediate
startup

[ GOOD LUCK ]

[ References ]

http://www.dba-oracle.com/t_ora_04031_unable_to_allocate_shared_memory.htm

http://www.artun.eu/blog/?p=31

The requirement packages for  installation:

• Base System > Base
• Base System > Client management tools
• Base System > Compatibility libraries
• Base System > Hardware monitoring utilities
• Base System > Large Systems Performance
• Base System > Network file system client
• Base System > Performance Tools
• Base System > Perl Support
• Servers > Server Platform
• Servers > System administration tools
• Desktops > Desktop
• Desktops > Desktop Platform
• Desktops > Fonts
• Desktops > General Purpose Desktop
• Desktops > Graphical Administration Tools
• Desktops > Input Methods
• Desktops > X Window System
• Development > Additional Development
• Development > Development Tools
• Applications > Internet Browser

Download the Oracle software from OTN or MOS depending on your support status.

• OTN: Oracle Database 11g Release 2 (11.2.0.1) Software (64-bit) – For unsupported installation.
• MOS: Oracle Database 11g Release 2 (11.2.0.3) Software (64-bit) – For supported installation.

Unzip the files.

# 11.2.0.1
unzip linux.x64_11gR2_database_1of2.zip
unzip linux.x64_11gR2_database_2of2.zip

Hosts File

The “/etc/hosts” file must contain a fully qualified name for the server.

Automatic Setup
If you plan to use the “oracle-rdbms-server-11gR2-preinstall” package to perform all your prerequisite setup, follow the instructions at http://public-yum.oracle.com to setup the yum repository for OL, then perform the following command.

# yum install oracle-rdbms-server-11gR2-preinstall

Manual Setup

Oracle recommend the following minimum parameter settings.

fs.suid_dumpable = 1
fs.aio-max-nr = 1048576
fs.file-max = 6815744
kernel.shmall = 2097152
kernel.shmmax = 536870912
kernel.shmmni = 4096
kernel.sem = 250 32000 100 128
net.ipv4.ip_local_port_range = 9000 65500
net.core.rmem_default = 262144
net.core.rmem_max = 4194304
net.core.wmem_default = 262144
net.core.wmem_max = 1048586

The current values can be tested using the following command.

/sbin/sysctl -a | grep <param-name>

Add or amend the following lines in the “/etc/sysctl.conf” file.

fs.suid_dumpable = 1
fs.aio-max-nr = 1048576
fs.file-max = 6815744
kernel.shmall = 2097152
kernel.shmmax = 536870912
kernel.shmmni = 4096
# semaphores: semmsl, semmns, semopm, semmni
kernel.sem = 250 32000 100 128
net.ipv4.ip_local_port_range = 9000 65500
net.core.rmem_default=4194304
net.core.rmem_max=4194304
net.core.wmem_default=262144
net.core.wmem_max=1048586

Run the following command to change the current kernel parameters.

/sbin/sysctl -p

Add the following lines to the “/etc/security/limits.conf” file.

oracle              soft    nproc   2047
oracle              hard    nproc   16384
oracle              soft    nofile  4096
oracle              hard    nofile  65536
oracle              soft    stack   10240

Install the following packages if they are not already present.

# From Oracle Linux 6 DVD
cd /media/cdrom/Server/Packages
rpm -Uvh binutils-2*x86_64*
rpm -Uvh glibc-2*x86_64* nss-softokn-freebl-3*x86_64*
rpm -Uvh glibc-2*i686* nss-softokn-freebl-3*i686*
rpm -Uvh compat-libstdc++-33*x86_64*
rpm -Uvh glibc-common-2*x86_64*
rpm -Uvh glibc-devel-2*x86_64*
rpm -Uvh glibc-devel-2*i686*
rpm -Uvh glibc-headers-2*x86_64*
rpm -Uvh elfutils-libelf-0*x86_64*
rpm -Uvh elfutils-libelf-devel-0*x86_64*
rpm -Uvh gcc-4*x86_64*
rpm -Uvh gcc-c++-4*x86_64*
rpm -Uvh ksh-*x86_64*
rpm -Uvh libaio-0*x86_64*
rpm -Uvh libaio-devel-0*x86_64*
rpm -Uvh libaio-0*i686*
rpm -Uvh libaio-devel-0*i686*
rpm -Uvh libgcc-4*x86_64*
rpm -Uvh libgcc-4*i686*
rpm -Uvh libstdc++-4*x86_64*
rpm -Uvh libstdc++-4*i686*
rpm -Uvh libstdc++-devel-4*x86_64*
rpm -Uvh make-3.81*x86_64*
rpm -Uvh numactl-devel-2*x86_64*
rpm -Uvh sysstat-9*x86_64*
rpm -Uvh compat-libstdc++-33*i686*
rpm -Uvh compat-libcap*
cd /
eject

Note. This will install all the necessary 32-bit packages for 11.2.0.1. From 11.2.0.2 onwards many of these are unnecessary, but having them present does not cause a problem.

Create the new groups and users.

groupadd -g 501 oinstall
groupadd -g 502 dba
groupadd -g 503 oper
groupadd -g 504 asmadmin
groupadd -g 506 asmdba
groupadd -g 505 asmoper

useradd -u 502 -g oinstall -G dba,asmdba,oper oracle
passwd oracle

Note. We are not going to use the “asm” groups, since this installation will not use ASM.

Additional Setup

Disable secure linux by editing the “/etc/selinux/config” file, making sure the SELINUX flag is set as follows.

SELINUX=disabled

Once the change is complete, restart the server.

If you have the Linux firewall enabled, you will need to disable or configure it, as shown here or here.

Create the directories in which the Oracle software will be installed.

mkdir -p /u01/app/oracle/product/11.2.0/db_1
chown -R oracle:oinstall /u01
chmod -R 775 /u01

Login as root and issue the following command.

xhost +<machine-name>

Login as the oracle user and add the following lines at the end of the “.bash_profile” file.

# Oracle Settings
TMP=/tmp; export TMP
TMPDIR=$TMP; export TMPDIR

ORACLE_HOSTNAME=ol6-112.localdomain; export ORACLE_HOSTNAME
ORACLE_UNQNAME=DB11G; export ORACLE_UNQNAME
ORACLE_BASE=/u01/app/oracle; export ORACLE_BASE
ORACLE_HOME=$ORACLE_BASE/product/11.2.0/db_1; export ORACLE_HOME
ORACLE_SID=DB11G; export ORACLE_SID

PATH=/usr/sbin:$PATH; export PATH
PATH=$ORACLE_HOME/bin:$PATH; export PATH

LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib; export LD_LIBRARY_PATH
CLASSPATH=$ORACLE_HOME/jlib:$ORACLE_HOME/rdbms/jlib; export CLASSPATH

Installation

Log into the oracle user. If you are using X emulation then set the DISPLAY environmental variable.

DISPLAY=<machine-name>:0.0; export DISPLAY

Start the Oracle Universal Installer (OUI) by issuing the following command in the database directory.

./runInstaller

http://danielmiessler.com/study/tcpdump/

• Options
• Basic Usage
• Common Syntax
• Writing to a File
• Getting Creative
• Advanced

tcpdump is the premier network analysis tool for information security professionals. Having a solid grasp of this über-powerful application is mandatory for anyone desiring a thorough understanding of TCP/IP. Many prefer to use higher level analysis tools such as Ethereal Wireshark, but I believe this to usually be a mistake.

In a discipline so dependent on a true understanding of concepts vs. rote learning, it’s important to stay fluent in the underlying mechanics of the TCP/IP suite. A thorough grasp of these protocols allows one to troubleshoot at a level far beyond the average analyst, but mastery of the protocols is only possible through continued exposure to them.

When using a tool that displays network traffic a more natural (raw) way the burden of analysis is placed directly on the human rather than the application. This approach cultivates continued and elevated understanding of the TCP/IP suite, and for this reason I strongly advocate using tcpdump instead of other tools whenever possible.

15:31:34.079416 IP (tos 0x0, ttl  64, id 20244, offset 0, flags [DF], 
proto: TCP (6), length: 60) source.35970 > dest.80: S, cksum 0x0ac1 
(correct), 2647022145:2647022145(0) win 5840 0x0000:  4500 003c 4f14 4000 
4006 7417 0afb 0257  E..  0x0010:  4815 222a 8c82 0050 9dc6 5a41 0000 
0000  H."*...P..ZA....  0x0020:  a002 16d0 0ac1 0000 0204 05b4 
0402 080a  ................  0x0030:  14b4 1555 0000 0000 0103 0302

Options

Below are a few options (with examples) that will help you greatly when working with the tool. They’re easy to forget and/or confuse with other types of filters, i.e. ethereal, so hopefully this page can serve as a reference for you, as it does me.

First off, I like to add a few options to the tcpdump command itself, depending on what I’m looking at. The first of these is -n, which requests that names are not resolved, resulting in the IPs themselves always being displayed. The second is -X, which displays both hex and ascii content within the packet. The final one is -S, which changes the display of sequence numbers to absolute rather than relative. The idea there is that you can’t see weirdness in the sequence numbers if they’re being hidden from you. Remember, the advantage of using tcpdump vs. another tool is getting manual interaction with the packets.

It’s also important to note that tcpdump only takes the first 68 96 bytes of data from a packet by default. If you would like to look at more, add the -s number option to the mix, where number is the number of bytes you want to capture. I recommend using 0 (zero) for a snaplength, which gets everything. Here’s a short list of the options I use most:

• -i any : Listen on all interfaces just to see if you’re seeing any traffic.
• -n : Don’t resolve hostnames.
• -nn : Don’t resolve hostnames or port names.
• -X : Show the packet’s contents in both hex and ASCII.
• -XX : Same as -X, but also shows the ethernet header.
• -v, -vv, -vvv : Increase the amount of packet information you get back.
• -c : Only get x number of packets and then stop.
• -s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
• -S : Print absolute sequence numbers.
• -e : Get the ethernet header as well.
• -q : Show less protocol information.
• -E : Decrypt IPSEC traffic by providing an encryption key.

[ The default snaplength as of tcpdump 4.0 has changed from 68 bytes to 96 bytes. While this will give you more of a packet to see, it still won't get everything. Use -s 1514 to get full coverage ]

Basic Usage

So, based on the kind of traffic I’m looking for, I use a different combination of options to tcpdump, as can be seen below:

1. Basic communication // see the basics without many options

   # tcpdump -nS

1. Basic communication (very verbose) // see a good amount of traffic, with verbosity and no name help

   # tcpdump -nnvvS

1. A deeper look at the traffic // adds -X for payload but doesn’t grab any more of the packet

   # tcpdump -nnvvXS

1. Heavy packet viewing // the final “s” increases the snaplength, grabbing the whole packet

   # tcpdump -nnvvXSs 1514

Here’s a capture of exactly two (-c2) ICMP packets (a ping and pong) using some of the options described above. Notice how much we see about each packet.

linux root # tcpdump -nnvXSs 0 -c2 icmp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), 23:11:10.370321 IP 
(tos 0x20, ttl  48, id 34859, offset 0, flags [none], length: 84) 
69.254.213.43 > 72.21.34.42: icmp 64: echo request seq 0

        0x0000:  4520 0054 882b 0000 3001 7cf5 45fe d52b  E..T.+..0.|.E..+
        0x0010:  4815 222a 0800 3530 272a 0000 25ff d744  H."*..50'*..%..D
        0x0020:  ae5e 0500 0809 0a0b 0c0d 0e0f 1011 1213  .^..............
        0x0030:  1415 1617 1819 1a1b 1c1d 1e1f 2021 2223  .............!"#
        0x0040:  2425 2627 2829 2a2b 2c2d 2e2f 3031 3233  $%&'()*+,-./0123
        0x0050:  3435 3637                                4567
23:11:10.370344 IP (tos 0x20, ttl  64, id 35612, offset 0, flags [none], 
length: 84) 72.21.34.42 > 69.254.213.43: icmp 64: echo reply seq 0
        0x0000:  4520 0054 8b1c 0000 4001 6a04 4815 222a  E..T....@.j.H."*
        0x0010:  45fe d52b 0000 3d30 272a 0000 25ff d744  E..+..=0'*..%..D
        0x0020:  ae5e 0500 0809 0a0b 0c0d 0e0f 1011 1213  .^..............
        0x0030:  1415 1617 1819 1a1b 1c1d 1e1f 2021 2223  .............!"#
        0x0040:  2425 2627 2829 2a2b 2c2d 2e2f 3031 3233  $%&'()*+,-./0123
        0x0050:  3435 3637                                4567
2 packets captured
2 packets received by filter
0 packets dropped by kernel
linux root #

 #

Common Syntax

Expressions allow you to trim out various types of traffic and find exactly what you’re looking for. Mastering the expressions and learning to combine them creatively is what makes one truly powerful with tcpdump. There are three main types of expression: type, dir, and proto.

Type options are host, net, and port. Direction is indicated by dir, and there you can have src, dst, src or dst, and src and dst. Here are a few that you should definitely be comfortable with:

• host // look for traffic based on IP address (also works with hostname if you’re not using -n)

  # tcpdump host 1.2.3.4

• src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)

  # tcpdump src 2.3.4.5

  # tcpdump dst 3.4.5.6

• net // capture an entire network using CIDR notation

  # tcpdump net 1.2.3.0/24

• proto // works for tcp, udp, and icmp. Note that you don’t have to type proto

  # tcpdump icmp

• port // see only traffic to or from a certain port

  # tcpdump port 3389

• src, dst port // filter based on the source or destination port

  # tcpdump src port 1025

  # tcpdump dst port 389

• src/dst, port, protocol // combine all three

  # tcpdump src port 1025 and tcp

  # tcpdump udp and src port 53

You also have the option to filter by a range of ports instead of declaring them individually, and to only see packets that are above or below a certain size.

• Port Ranges // see traffic to any port in a rangetcpdump portrange 21-23

• Packet Size Filter // only see packets below or above a certain size (in bytes)tcpdump less 32

  tcpdump greater 128

[ You can use the symbols for less than, greater than, and less than or equal / greater than or equal signs as well. ]

// filtering for size using symbols

tcpdump > 32

tcpdump <= 128

Writing to a File

tcpdump allows you to send what you’re capturing to a file for later use using the -w option, and then to read it back using the -r option. This is an excellent way to capture raw traffic and then run it through various tools later.

The traffic captured in this way is stored in tcpdump format, which is pretty much universal in the network analysis space. This means it can be read in by all sorts of tools, including Wireshark, Snort, etc.

Capture all Port 80 Traffic to a File

# tcpdump -s 1514 port 80 -w capture_file

Then, at some point in the future, you can then read the traffic back in like so:

Read Captured Traffic back into tcpdump

# tcpdump -r capture_file

Getting Creative

Expressions are nice, but the real magic of tcpdump comes from the ability to combine them in creative ways in order to isolate exactly what you’re looking for. There are three ways to do combinations, and if you’ve studied computers at all they’ll be pretty familar to you:

1. ANDand or &&
2. ORor or ||
3. EXCEPTnot or !

More Examples

As you can see, you can build queries to find just about anything you need. The key is to first figure out precisely what you’re looking for and then to build the syntax to isolate that specific type of traffic.

Grouping

Also keep in mind that when you’re building complex queries you might have to group your options using single quotes. Single quotes are used in order to tell tcpdump to ignore certain special characters — in this case the “( )” brackets. This same technique can be used to group using other expressions such as host, port, net, etc. Take a look at the command below:

If you tried to run this otherwise very useful command, you’d get an error because of the parenthesis. You can either fix this by escaping the parenthesis (putting a \ before each one), or by putting the entire command within single quotes:

Advanced

You can also filter based on specific portions of a packet, as well as combine multiple conditions into groups. The former is useful when looking for only SYNs or RSTs, for example, and the latter for even more advanced traffic isolation.

[ Hint: An anagram for the TCP flags: Unskilled Attackers Pester Real Security Folk ]

[ Note: Only the PSH, RST, SYN, and FIN flags are displayed in tcpdump's flag field output. URGs and ACKs are displayed, but they are shown elsewhere in the output rather than in the flags field ]

Keep in mind the reasons these filters work. The filters above find these various packets because tcp[13] looks at offset 13 in the TCP header, the number represents the location within the byte, and the !=0 means that the flag in question is set to 1, i.e. it’s on.

As with most powerful tools, however, there are multiple ways to do things. The example below shows another way to capture packets with specific TCP flags set.

Specialized Traffic

Finally, there are a few quick recipes you’ll want to remember for catching specific and specialized traffic, such as IPv6 and malformed/likely-malicious packets.

Conclusion

Well, this primer should get you going strong, but the man page should always be handy for the most advanced and one-off usage scenarios.

Source: http://danielmiessler.com/study/tcpdump/

To run a single UNIX command use the command:

:!UNIX_command

You can start a shell from within vi and use it as you would your usual UNIX environment, then exit the shell and return to vi

To start up a shell enter the command:

:sh

The type of shell that is started is determined by the $SHELL variable. You can specify that some other shell is to be started by setting the vi shell option

Return to using vi by entering the command exit or Ctrl-D

To insert the output from a UNIX command into a file, immediately after the cursor:

:r!command

The -n option prevents lsof from being slowed down by a large number of DNS lookups, and the -i option returns all TCP/IP connections (with process numbers, user ids, file descriptor ids, and so on). To narrow it down, utilize options like the following – to list all SMTP connections, for example:

lsof -n -i :25

It is also possible to list only certain processes (such as process 25 and process 45):

lsof -n -p 25 -p 45

Alternately, the process can be selected by name:

lsof -n -c perl

However, suppose one wants to list all TCP/IP sockets held open by perl processes. The obvious choice does not work! This is because the options are combined together as an OR function; to combine them as an AND function (that is, all options must be satisfied) use the -a option – such as this:

lsof -a -n -c perl -i

This lists, as desired, all TCP/IP sockets held open by perl processes.

Another that might be useful in a security context is listing all files that are open but have no links to them: that is, they’ve been deleted, but one or more processes are keeping the file open, which means the file itself (and its blocks) are being preserved even though it appears to be deleted from the filesystem. To see these files, use this option:

lsof +L1

The utility lsof is indeed very useful, and reading the man page for lsof is recommended.