Practical Packet Analysis Notes 1

Hubbing out involves placing a hub or something like a Throwing Star lan tap between a host and switch. Per the books, in most situations duplex of target is cut to half.

View->Coloring Rules is a handy way to add your own rules to make traffic stand out.

Mark a packet so it stands out with white text & black backdrop. CTRL+M and you can advance or reverse with ctrl-shift-n and ctrl-shift-b.

You can merge pcaps. Tie together captures from multiple devices to get a better view. File-> Merge

Create capture and display filters. Wireshark uses comparison and logical operators.

 Comparison Operators
==     equal to
!=     not equal to
>     greater than
<     less than
>=     greater than or equal to
<=     less than or equal to

Logical Operators
and     both conditions must be true
or        either one of the conditions must be true
xor     one and only one condition must be true
not     neither one of the conditions is true
Sample Filter Expressions
host     display all traffic from host

!ip     display all non IP traffic

ip.dst==     Display all traffic with a destination of

You can manage and apply existing filters, or create a new filter from a current expression from within the filter construction dialog by clicking on the small filter icon to the left of the filter expression icon within the filter toolbar!

Name Resolution

You can enable name resolution by opening the Capture Options dialog. Capture–> Options and then select Options tab.

  1. MAC Name Resolution – Uses ARP to convert layer 2 MAC address into layer 3 IP addresses;  display 00:11:22:33:44:55:66 as
  2. Network Name Resolution – Uses DNS to resolve IP addresses to human readable DNS names; display as SalesWorkstation001.
  3. Transport Name Resolution – Convert port number to associated transport technology; display port 80 as http.

Name resolution may not be desirable. It can add processing overhead and resolution can fail. A capture does not store name resolution data, so expect this overhead when reviewing previously saved captures.

Protocol Dissection

Wireshark relies on protocol dissectors to to convert raw data into something understood by Wireshark, but it can select the wrong protocol dissector. Most commonly this occurs when a standard protocol is using a non-standard port. For instance, HTTP traffic flowing over port 22 could be classified as SSH!

Right click on a packet and from the menu select “Decode As.” This enables you to select a different protocol dissector than that which was chosen by Wireshark.

Following TCP Streams

Right click on a packet in the Packet list pane of the main window to Follow->TCP Stream  and view related packets and their payload that is delivered to the application level in the OSI stack. You can also select a TCP packet in the TCP  tab of the Statistics->Conversations dialog.


Statistics->Endpoints  summarizes traffic measured in bits, bytes, and packets grouped by hosts.

Unifi AP hostname no update

You need to initiate a provisioning of a Ubiquiti Unifi access point to make active a change to the Alias.  This can be done by changing something like the channel used in the 2.4 or 5 Ghz spectrum or modifying radio signal strength.

Restarting the access point is not sufficient.

Until you do this, running info form the BusyBox CLI on the access point reflects the old alias. Similarily, attempting to Add Device using SNMP in LibreNMS will fail too.


Dynamic DNS Updates

Non domain dhcp clients do not get a DNS record when they receive a lease.

Add new user with a password that does not expire. Add member to the DHCP Administrators security group.

Open DHCP console, connect to DHCP server and access IPv4 properties. Under the Advanced tab, specify the credentials you specified earlier.

I found restarting the DHCP and DNS services had no effect, so in my experience rebooting the Windows Server 2012 R2 box that hosted DNS and DHCP did the trick.

Now I see various wireless clients, including non-domain joined windows laptop and iPhones with names that now resolve to IP addresses.

It is worth a mention: I disabled secure updates.

Apparently you can acheive the same thing by adding the DHCP server to the DNSUpdateProxy group. But, this is a security risk if the box that DHCP is running on is also a domain controller. That is because the AD records can be written to by anyone. OpenACLOnProxyUpdate setting can mitigate the risk. The recommended solution is to specify credentials for the dynamic DNS update.

Ubiquiti EdgeOS Find MAC Address

On a core layer switch I wanted to learn what port was connected to an access layer switch. This would enable me to add the missing documentation of the network topology.

First find the MAC address of the access layer switch. We’ll search for this value in the IP stack’s ARP table. To do this, jump into Unifi and select your access layer switch. From the Properties window, select the Configuration tab, then expand Debug Terminal. Click Open Terminal and when the terminal opens run the info command from the BusyBox CLI. This will reveal a  few details about the switch, including the MAC address of the management interface.

With the MAC address in hand we will search for it from the Edgeswitch CLI.

(UBNT EdgeSwitch) #show mac-addr-table 04:18:d6:f0:d2:34

VLAN ID  MAC Address         Interface              IfIndex  Status
-------  ------------------  ---------------------  -------  ------------
1        04:18:D6:F0:D2:34   0/8                    8        Learned

(UBNT EdgeSwitch) #

On the other hand, you can find the MAC address of a device on the other end of a link by specifying an interface instead.

(UBNT EdgeSwitch) #show mac-addr-table interface 0/16
   MAC Address      VLAN ID      Status

-----------------  ---------  ------------
D4:F4:BE:1F:99:11     1        Learned

(UBNT EdgeSwitch) #

more to come….

SCCM No Task Sequence Available For This Computer

This is caused by one or more workstations in the network having the same SMBIOS GUID, aka System UUID in SCCM terms.

On the workstation that cannot run a Task Sequence, launch a command prompt in WinPE by pressing SHIFT + F10 and drop into the WMIC CLI by issuing this command:


At the prompt wmic:root\cli>, get the SMBIOS GUID by issuing:

csproduct get uuid

Paste this into a new text document using notepad and then transfer to SCCM. We’ll build a query using the System UUID to find the conflicting workstations.

net use j: \\sccmServer\share /user:domainName\userName

We’ll enter that System UUID into a Device Collection Query:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SMBIOSGUID = “4C4C4544-0053-5810-8059-B2C04F433832″


Windows 10 Add User

This task fails when using the Settings app, but there is a work around.

Tap Windows Key + R to open the Run dialog window.

Run this command:

control userpasswords2

EdgeOS 1.9.1 l2tp ipsec vpn

So upgrading to the latest firmware on my Ubiquiti Edgerouter in typical fashion broke something I depend on, remote access to my home network.

The solution below was found in the forums. The poor fellow posted his problems September 9, 2016. Engineers responded January 27, 2017.

delete vpn l2tp remote-access outside-address
delete vpn l2tp remote-access outside-nexthop
set vpn l2tp remote-access dhcp-interface eth0

The official documentation states the outside-nexthop and outside-address were deprecated.



Cisco Router Packet Forwarwding

Process Switching

The router scans the entire routing table, searching for an exit interface that is connected to the destination network. Note this is CPU intensive and no longer practiced because it would quickly bog down a router.

Fast Switching

Enabled by default on all interfaces that support fast switching. To conserve resources, the router builds a table in high speed cache to prevent process switching every packet it receives.

When a router receives a packet sent to a destination not already in cache, it will be process switched.

After finding the exit interface and determining the Next Hop IP, the router will place this information in the cache.

You can enable fast switching per interface by issuing

conf t
int fa0/0
ip route-cache

Review that fast switching has been enabled

Lab-C#show ip int fa0/0 | in IP fast
 IP fast switching is enabled
 IP fast switching on the same interface is disabled

You can view the table held in cache

show ip cache

You can review this process of placing entries in the cache by enabling packet debugging by issuing

debug ip packet detail

Keep in mind that when you have enabled packet debugging you can review process switching activity, however fast switched and CEF switched packets do not show up. So for the sake of troubleshooting it may be a good idea to disable fast switching (no ip route-cache) and CEF.


Intense School: Process Switching, Fast Switching, and CEF

Cisco Fast Switching

Cisco Verify CEF Switching

Gratuitous ARP

A client network interface configured for DHCP will issue a gratuitous ARP request after it has received an IP offered from the DHCP server. It does this to detect if any other local hosts have the same IP address in order to avoid a continued address conflict.

The host in question will issue a gratuitous ARP request packet configured as follows:

Source Hardware Address (SHA): its own MAC address
Source Protocol Address (SPA): the DHCP assigned IP address
Destination Hardware Address: Broadcast MAC FF:FF:FF:FF:FF:FF
Destination Protocol Address: the DHCP assigned IP address

Since hosts are required to receive and process all ARP traffic, you can expect a gratuitous ARP reply if another host already has the IP address recently assigned. At this point the DHCP client will report the address conflict to the DHCP server.

Although the DHCP server will initially send pings to the IP it intends to assign as a preventative measure, it is possible the ARP table on the DHCP server is not accurate. Therefore a local host could be lurking on the network with the IP in question but a MAC address other than what is, or is not, recorded in the ARP table on the DHCP server.


RFC 826: Ethernet Address Resolution Protocol

RFC 5227: IP Address Conflict Detection

Wireshark: Gratuitous ARP

Slot Naming Convention

When matching physical interfaces on a router to what we see in the CLI it is important to understand the Cisco slot naming convention. Cisco will number slots,sub slots, and ports right to left, then bottom to top.

Convention is Slot#/Port# or Slot#/Subslot#/Port#

Review available interfaces from the CLI by issuing the command:

show ip interfaces

Built-in interfaces belong to Slot 0.  For example, the 2811 router has two built in Fast Ethernet ports. From the CLI they are identified as Fa0/0 and Fa0/1

Say I plug in a serial module WIC-2T into subslot 0. From the CLI they are identified as S0/0/0 and S0/0/1. This shows the WIC-2T module belongs to slot 0, subslot 0, and we have two interfaces available at ports 0 and 1.

To illustrate another slot, slot 1; I plug a network module extension (NME) known as NM-1FE2W.  This has one Fast Ethernet interface and provides two additional subslot spots for wide interface card (WIC) modules above. In my following illustration you can see I have added another WIC-2T to the NM-1FE2W.

As a result I now have two more serial interfaces that are identified in the CLI as S1/0/0 and S1/0/1.

At last I will populate subslot1 of the previously installed NM-1FE2W with a 4 port switch interface card, the HWIC-4ESW. From the CLI you’ll observe 4 new interfaces, Fa1/1/0, Fa1/1/1, Fa1/1/2, and Fa1/1/3.

After adding the NME and all WICs you have access to the following interfaces:

Router>show ip interface FastEthernet0/0 is administratively down, line protocol is down (disabled) Internet protocol processing disabled FastEthernet0/1 is administratively down, line protocol is down (disabled) Internet protocol processing disabled 
Serial0/0/0 is administratively down, line protocol is down (disabled) Internet protocol processing disabled Serial0/0/1 is administratively down, line protocol is down (disabled) Internet protocol processing disabled FastEthernet1/0 is administratively down, line protocol is down (disabled) Internet protocol processing disabled 
Serial1/0/0 is administratively down, line protocol is down (disabled) Internet protocol processing disabled Serial1/0/1 is administratively down, line protocol is down (disabled) Internet protocol processing disabled FastEthernet1/1/0 is up, line protocol is down Internet protocol processing disabled FastEthernet1/1/1 is up, line protocol is down Internet protocol processing disabled FastEthernet1/1/2 is up, line protocol is down Internet protocol processing disabled FastEthernet1/1/3 is up, line protocol is down Internet protocol processing disabled Vlan1 is administratively down, line protocol is down Internet protocol processing disabled

Below is a screen shot of what my Cisco 2811 router looks like in Packet Tracer.