wildweaselmi

Follow the password recovery procedure below. Attach a terminal or PC with terminal emulation (for example, Hyper Terminal) to the console port of the switch. Use the following terminal settings: Bits per second (baud): 9600 Data bits: 8 Parity: None Stop bits: 1 Flow Control: Xon/Xoff Unplug the power cable.Power the switch and bring it to the switch: prompt: For 2900XL, 3500XL, 2940, 2950, 2960, 2970, 3550, 3560, and 3750 series switches, do this: Hold down the mode button located on the left side of the front panel, while you reconnect the power cable to the switch. The Catalyst 2955 series switches do not use an external mode button for password recovery. Instead the switch boot loader uses the break-key detection to stop the automatic boot sequence for the password recovery purposes. The break sequence is determined by the terminal application and operating system used. Hyperterm running on Windows 2000 uses Ctrl + Break. On a workstation running UNIX, Ctrl-C is the break key. The example below uses Hyperterm to break into switch: mode on a 2955. C2955 Boot Loader (C2955-HBOOT-M) Version 12.1(0.0.514), CISCO DEVELOPMENT TEST VERSION Compiled Fri 13-Dec-02 17:38 by madison WS-C2955T-12 starting... Base ethernet MAC Address: 00:0b:be:b6:ee:00 Xmodem file system is available. Initializing Flash... flashfs: 19 files, 2 directories flashfs: 0 orphaned files, 0 orphaned directories flashfs: Total bytes: 7741440 flashfs: Bytes used: 4510720 flashfs: Bytes available: 3230720 flashfs: flashfs fsck took 7 seconds ....done initializing flash. Boot Sector Filesystem (bs:) installed, fsid: 3 Parameter Block Filesystem (pb:) installed, fsid: 4 *** The system will autoboot in 15 seconds ***Send break character to prevent autobooting. !--- Wait until you see this message before !--- you issue the break sequence. !--- Ctrl+Break is entered using Hyperterm. The system has been interrupted prior to initializing the flash file system to finish loading the operating system software: flash_init load_helper boot switch: Issue the flash_init command. switch: flash_init Initializing Flash... flashfs: 143 files, 4 directories flashfs: 0 orphaned files, 0 orphaned directories flashfs: Total bytes: 3612672 flashfs: Bytes used: 2729472 flashfs: Bytes available: 883200 flashfs: flashfs fsck took 86 seconds ....done Initializing Flash. Boot Sector Filesystem (bs:) installed, fsid: 3 Parameter Block Filesystem (pb:) installed, fsid: 4 switch: !--- This output is from a 2900XL switch. Output from !--- other switches will vary slightly. Issue the load_helper command. switch: load_helper switch: Issue the dir flash: command. Note: Make sure to type a colon ":" after the dir flash. The switch file system is displayed: switch: dir flash: Directory of flash:/ 2 -rwx 1803357 c3500xl-c3h2s-mz.120-5.WC7.bin !--- This is the current version of software. 4 -rwx 1131 config.text !--- This is the configuration file. 5 -rwx 109 info 6 -rwx 389 env_vars 7 drwx 640 html1 8 -rwx 10 9 info.ver 403968 bytes available (3208704 bytes used) switch: !--- This output is from a 3500XL switch. Output from !--- other switches will vary slightly. Type rename flash:config.text flash:config.old to rename the configuration file. switch: rename flash:config.text flash:config.old switch: !--- The config.text file contains the password !--- definition. Issue the boot command to boot the system. switch: boot Loading "flash:c3500xl-c3h2s-mz.120-5.WC7.bin"...##################################################################################################################################################################################### File "flash:c3500xl-c3h2s-mz.120-5.WC7.bin" uncompressed and installed, entry point: 0x3000 executing... !--- Output suppressed. !--- This output is from a 3500XL switch. Output from other switches !--- will vary slightly. Enter "n" at the prompt to abort the initial configuration dialog. --- System Configuration Dialog --- At any point you may enter a question mark '?' for help. Use ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Continue with configuration dialog? : n !--- Type "n" for no. Press RETURN to get started. !--- Press Return or Enter . Switch> !--- The Switch> prompt is displayed. At the switch prompt, type en to enter enable mode. Switch> en Switch# Type rename flash:config.old flash:config.text to rename the configuration file with its original name. Switch# rename flash:config.old flash:config.text Destination filename !--- Press Return or Enter . Switch# Copy the configuration file into memory. Switch# copy flash:config.text system :running-config Destination filename ? !--- Press Return or Enter . 1131 bytes copied in 0.760 secs Sw1# The configuration file is now reloaded. Overwrite the current passwords that you do not know. Choose a strong password with at least one capital letter, one number, and one special character. Note: Overwrite the passwords which are necessary. You need not overwrite all of the mentioned passwords. Sw1# conf t !--- To overwrite existing secret password Sw1(config)# enable secret !--- To overwrite existing enable password Sw1(config)# enable password !--- To overwrite existing vty password Sw1(config)# line vty 0 15 Sw1(config-line)# password Sw1(config-line)# login !--- To overwrite existing console password Sw1(config-line)# line con 0 Sw1(config-line)# password Write the running configuration to the configuration file with the write memory command. Sw1# write memory Building configuration... Sw1#

FYI IMA stands for Inverse Multiplexing for ATM. This technology provides a scalable and cost-effective solution for customers seeking to expand WAN bandwidth from T1 speeds, without having to pay for DS3 or OC3 circuits. With IMA, two or more T1 circuits can be "bundled" for example a 12Meg IMA circuit is 8 T1 circuits (so 1.544Mbps x 8 = 12Mbps)

FYI IMA stands for Inverse Multiplexing for ATM. This technology provides a scalable and cost-effective solution for customers seeking to expand WAN bandwidth from T1 speeds, without having to pay for DS3 or OC3 circuits. With IMA, two or more T1 circuits can be "bundled" for example a 12Meg IMA circuit is 8 T1 circuits (so 1.544Mbps x 8 = 12Mbps)

Serato Scratch Live is the best DJ software for those who want to DJ or VJ with your Macbook or if you want to experiment scratching (though not necessary). DOWNFALL to Serato is it is very resource intensive and you must use RANE Scratch live audio card which isn't compatiable with ANY other DJ software. When I had Traktor with Audio 8 sound card the Audio 8 worked with any other DJ Software.

T1: dedicated connection capable of speeds of up to 1.5Mbps 24 DS-0 channels A DS-0 service is a single digital channel of 64 Kbps. T lines are popular leased line options for businesses connecting to the Internet and for Internet Service Providers (ISPs) connecting to the Internet backbone. A T-1 line provides DS-1 service and actually consists of 24 DS-0 channels, each channel can be configured to carry voice or data traffic. A T-1 line supports data rates of 1.544Mbits per second. How come? 8000 * 8 bit resolution * 24 = 1.536 Mbps? DS3: The data rate for this type of signal is 44.736 Mbps 672 DS-0 channels 028 DS-1 channels DS-3 which stands for Digital Signal Level 3, equates to 28 T-1 lines or 44.736 million bits per second (roughly 43-45 Mbps upstream/downstream speeds). DS-3s have enough bandwidth to allow very large database transferring over busy wide area networks and the capability of handling 672 simultaneous voice conversations. DS-3s typically run long haul over fiber optics and coax in the last mile, however there are many exceptions to this. In North America, DS-3 translates into T-3, which is the equivalent of 28 T-1 channels, each operating at a total signaling rate of 1.544 Mbps. The 28 T-1s are multiplexed through an M13 (‘Multiplex 1-to-3’ multiplexer), and 188 additional signaling and control bits are added to each T-3 frame. As each frame is transmitted 8,000 times a second, the total T-3 signaling rate is 44.736 Mbps. In a channelized application, T-3 supports 672 channels, each of 64 Kbps. In the European hierarchy, a DS-3 is in the form of a E-3, which runs at a total signaling rate of 34.368 Mbps, supports 480 channels, and is the equivalent of 16 E-1s. OC-3 OC-3 is a network line with transmission speeds of up to 155.52 Mbit/s (payload: 148.608 Mbit/s; overhead: 6.912 Mbit/s, including path overhead) using fiber optics. Depending on the system OC-3 is also known as STS-3 (electrical level) and STM-1 (SDH). When OC-3 is not multiplexed by carrying the data from a single source, the letter c (standing for concatenated) is appended: OC-3c.

T1: dedicated connection capable of speeds of up to 1.5Mbps 24 DS-0 channels A DS-0 service is a single digital channel of 64 Kbps. T lines are popular leased line options for businesses connecting to the Internet and for Internet Service Providers (ISPs) connecting to the Internet backbone. A T-1 line provides DS-1 service and actually consists of 24 DS-0 channels, each channel can be configured to carry voice or data traffic. A T-1 line supports data rates of 1.544Mbits per second. How come? 8000 * 8 bit resolution * 24 = 1.536 Mbps? DS3: The data rate for this type of signal is 44.736 Mbps 672 DS-0 channels 028 DS-1 channels DS-3 which stands for Digital Signal Level 3, equates to 28 T-1 lines or 44.736 million bits per second (roughly 43-45 Mbps upstream/downstream speeds). DS-3s have enough bandwidth to allow very large database transferring over busy wide area networks and the capability of handling 672 simultaneous voice conversations. DS-3s typically run long haul over fiber optics and coax in the last mile, however there are many exceptions to this. In North America, DS-3 translates into T-3, which is the equivalent of 28 T-1 channels, each operating at a total signaling rate of 1.544 Mbps. The 28 T-1s are multiplexed through an M13 (‘Multiplex 1-to-3’ multiplexer), and 188 additional signaling and control bits are added to each T-3 frame. As each frame is transmitted 8,000 times a second, the total T-3 signaling rate is 44.736 Mbps. In a channelized application, T-3 supports 672 channels, each of 64 Kbps. In the European hierarchy, a DS-3 is in the form of a E-3, which runs at a total signaling rate of 34.368 Mbps, supports 480 channels, and is the equivalent of 16 E-1s. OC-3 OC-3 is a network line with transmission speeds of up to 155.52 Mbit/s (payload: 148.608 Mbit/s; overhead: 6.912 Mbit/s, including path overhead) using fiber optics. Depending on the system OC-3 is also known as STS-3 (electrical level) and STM-1 (SDH). When OC-3 is not multiplexed by carrying the data from a single source, the letter c (standing for concatenated) is appended: OC-3c.

Are you sure it is an issue with NTP?? NTPv4 can usually maintain time to within 10 milliseconds (1/100 s) over the public Internet, and can achieve accuracies of 200 microseconds (1/5000 s) or better in local area networks under ideal conditions. Do a bit of troubleshooting on the functionality of NTP on your workstation Troubleshooting One of the quickest commands to verify that ntpd is still up and running as desired is ntpq -p. That command will show all peers used and configured together with their corner performance data. # ntpq -p remote refid st t when poll reach delay offset jitter ===================================================================== LOCAL(0) LOCAL(0) 3 l 9 64 377 0.000 0.000 0.000 *swisstime.ethz. .DCFa. 1 u 17 64 377 25.088 -10.040 1.071 Note the column st is stratum where 1-3 is the typical value Windows 2000 (Win2K) uses a time service, known as Windows Time Synchronization Service (Win32Time), to ensure that all Win2K computers on your network use a common time. The W32Time Service is a fully compliant implementation of the Simple Network Time Protocol (SNTP) as detailed in IETF RFC 1769. SNTP uses UDP port 123 by default. You can download this tool to validate the UDP port 123 is open. If you want to synchronize your time server with an SNTP server on the Internet, make sure that port is available. Check out this article for troubleshooting Windows Time Service Test NTP server, using net time /querysntp Select a NTP server, using net time /setsntp:swisstime.ethz.ch Start the W32time service with net start W32Time You can also set the start option of the Windows Time Synchronization Service (W32Time) to Automatic, so the service will start when Windows/2000 starts.

Are you sure it is an issue with NTP?? NTPv4 can usually maintain time to within 10 milliseconds (1/100 s) over the public Internet, and can achieve accuracies of 200 microseconds (1/5000 s) or better in local area networks under ideal conditions. Do a bit of troubleshooting on the functionality of NTP on your workstation Troubleshooting One of the quickest commands to verify that ntpd is still up and running as desired is ntpq -p. That command will show all peers used and configured together with their corner performance data. # ntpq -p remote refid st t when poll reach delay offset jitter ===================================================================== LOCAL(0) LOCAL(0) 3 l 9 64 377 0.000 0.000 0.000 *swisstime.ethz. .DCFa. 1 u 17 64 377 25.088 -10.040 1.071 Note the column st is stratum where 1-3 is the typical value Windows 2000 (Win2K) uses a time service, known as Windows Time Synchronization Service (Win32Time), to ensure that all Win2K computers on your network use a common time. The W32Time Service is a fully compliant implementation of the Simple Network Time Protocol (SNTP) as detailed in IETF RFC 1769. SNTP uses UDP port 123 by default. You can download this tool to validate the UDP port 123 is open. If you want to synchronize your time server with an SNTP server on the Internet, make sure that port is available. Check out this article for troubleshooting Windows Time Service Test NTP server, using net time /querysntp Select a NTP server, using net time /setsntp:swisstime.ethz.ch Start the W32time service with net start W32Time You can also set the start option of the Windows Time Synchronization Service (W32Time) to Automatic, so the service will start when Windows/2000 starts.

When you discover that Windows is discarding the packets, check out this technet article that describes an issue with the Windows Firewall silently discarding packets Broadcom nics * Reduced number of packets discarded when disabling a nic by added delay to the pnp pause function to allow in-transit packets to arrive. Check out this link to another forum describing a user that experienced lots of packet loss until they changed the nics and now the problem went away Troubleshooting Cisco Catalyst Switches to NIC Compatibility Issues.pdf

When you discover that Windows is discarding the packets, check out this technet article that describes an issue with the Windows Firewall silently discarding packets Broadcom nics * Reduced number of packets discarded when disabling a nic by added delay to the pnp pause function to allow in-transit packets to arrive. Check out this link to another forum describing a user that experienced lots of packet loss until they changed the nics and now the problem went away Troubleshooting Cisco Catalyst Switches to NIC Compatibility Issues.pdf

Packet Loss is the discarding of data packets in a network when a device (switch, router, etc.) is overloaded and cannot accept any incoming data at a given moment. High-level transport protocols such as TCP/IP ensure that all the data sent in a transmission is received properly at the other end. Troubleshooting Cisco Catalyst Switches to NIC Compatibility Issues.pdf

Packet Loss is the discarding of data packets in a network when a device (switch, router, etc.) is overloaded and cannot accept any incoming data at a given moment. High-level transport protocols such as TCP/IP ensure that all the data sent in a transmission is received properly at the other end. Troubleshooting Cisco Catalyst Switches to NIC Compatibility Issues.pdf

Okay it appears the issue has been resolved by implementing two solutions SOLUTION #1 utilize two scripts (cannot do a chmod on files that are in use or it will kill the process) /home/hosangit/chkshrk (purpose is to check every 15 minutes and validate tshark is running and if not, start it up) #!/bin/sh STARTSHRK="tshark -i eth0 -q -l -n -t ad -b filesize:18000 -b files:1000 -w /home/hosangit/captures/tshark_USTRO.cap" LOGFILEC=/home/hosangit/chkshark.log SERVICE='tshark' echo "`date` Validating $SERVICE is running" >> $LOGFILEC if ps ax | grep -v grep | grep $SERVICE > /dev/null then echo "`date` $SERVICE service running, everything is fine" >> $LOGFILEC else echo "`date` $SERVICE is not running, restarting $SERVICE" >> $LOGFILEC checktshark=`ps ax | grep -v grep | grep -c tshark` if [ $checktshark -le 0 ] then $STARTSHRK & if ps ax | grep -v grep | grep $SERVICE > /dev/null then echo "`date` $SERVICE service is now restarted, everything is OK" >> $LOGFILEC else echo "`date` Unable to start $SERVICE, suggest reboot" >> $LOGFILEC fi fi echo "`date` Exiting chkshark" >> $LOGFILEC fi /home/hosangit/archivecap (purpose is to copy all capture files to archive directory and change permissions so they can be downloaded at 23:59) #!/bin/sh STOPTSHARK="pkill tshark" MOVEFILES="mv -f /home/hosangit/captures/*.* /home/hosangit/captures/archive" LOGFILE=/home/hosangit/archivecap.log echo "`date` Starting Archive of Capture Files" >> $LOGFILE echo "`date` Stopping tshark" >> $LOGFILE $STOPTSHARK sleep 5 echo "`date` Moving files to Archive directory" >> $LOGFILE $MOVEFILES sleep 5 echo "`date` Changing permissions to allow FTP download" >> $LOGFILE chmod 777 /home/hosangit/captures/archive/*.cap sleep 5 echo "`date` Done" >> $LOGFILE SOLUTION #2 alter the tshark launch script to include the -q and -l options which helps keep tshark up and running (look at the chkshrk script above for the exact command) also do not use tshark as a filename when one of your calls in your script is looking to see if anything with tshark is running and if so then all is good. important to set the sudo crontab 00 * * * * /home/hosangit/chkshark 15 * * * * /home/hosangit/chkshark 30 * * * * /home/hosangit/chkshark 45 * * * * /home/hosangit/chkshark 59 23 * * * /home/hosangit/archivecap

Okay it appears the issue has been resolved by implementing two solutions SOLUTION #1 utilize two scripts (cannot do a chmod on files that are in use or it will kill the process) /home/hosangit/chkshrk (purpose is to check every 15 minutes and validate tshark is running and if not, start it up) #!/bin/sh STARTSHRK="tshark -i eth0 -q -l -n -t ad -b filesize:18000 -b files:1000 -w /home/hosangit/captures/tshark_USTRO.cap" LOGFILEC=/home/hosangit/chkshark.log SERVICE='tshark' echo "`date` Validating $SERVICE is running" >> $LOGFILEC if ps ax | grep -v grep | grep $SERVICE > /dev/null then echo "`date` $SERVICE service running, everything is fine" >> $LOGFILEC else echo "`date` $SERVICE is not running, restarting $SERVICE" >> $LOGFILEC checktshark=`ps ax | grep -v grep | grep -c tshark` if [ $checktshark -le 0 ] then $STARTSHRK & if ps ax | grep -v grep | grep $SERVICE > /dev/null then echo "`date` $SERVICE service is now restarted, everything is OK" >> $LOGFILEC else echo "`date` Unable to start $SERVICE, suggest reboot" >> $LOGFILEC fi fi echo "`date` Exiting chkshark" >> $LOGFILEC fi /home/hosangit/archivecap (purpose is to copy all capture files to archive directory and change permissions so they can be downloaded at 23:59) #!/bin/sh STOPTSHARK="pkill tshark" MOVEFILES="mv -f /home/hosangit/captures/*.* /home/hosangit/captures/archive" LOGFILE=/home/hosangit/archivecap.log echo "`date` Starting Archive of Capture Files" >> $LOGFILE echo "`date` Stopping tshark" >> $LOGFILE $STOPTSHARK sleep 5 echo "`date` Moving files to Archive directory" >> $LOGFILE $MOVEFILES sleep 5 echo "`date` Changing permissions to allow FTP download" >> $LOGFILE chmod 777 /home/hosangit/captures/archive/*.cap sleep 5 echo "`date` Done" >> $LOGFILE SOLUTION #2 alter the tshark launch script to include the -q and -l options which helps keep tshark up and running (look at the chkshrk script above for the exact command) also do not use tshark as a filename when one of your calls in your script is looking to see if anything with tshark is running and if so then all is good. important to set the sudo crontab 00 * * * * /home/hosangit/chkshark 15 * * * * /home/hosangit/chkshark 30 * * * * /home/hosangit/chkshark 45 * * * * /home/hosangit/chkshark 59 23 * * * /home/hosangit/archivecap

tshark would close after about 10 (20mb or 15mb) files so I change to 12mb files and it appeared to be running better but after my 15 minute run of archivecap I ran ps -e|grep tshark and noticed the process id changed so in short, my script is restarting tshark when it was running just fine. I believe the chmod part of my script is what is breaking tshark because I am chmod an open file that tshark is using so what I am going to try is taking that part out and seeing if tshark will continue to run even when the cron runs the check.

tshark would close after about 10 (20mb or 15mb) files so I change to 12mb files and it appeared to be running better but after my 15 minute run of archivecap I ran ps -e|grep tshark and noticed the process id changed so in short, my script is restarting tshark when it was running just fine. I believe the chmod part of my script is what is breaking tshark because I am chmod an open file that tshark is using so what I am going to try is taking that part out and seeing if tshark will continue to run even when the cron runs the check.

Updated the script and now it seems to be working better. #!/bin/sh STARTTSHARK="tshark -i eth0 -n -t ad -b filesize:20000 -b files:1000 -w /home/hosangit/captures/tshark_USTRO.cap" LOGFILE=/home/hosangit/archivecap.log SERVICE='tshark' echo "`date` Validating $SERVICE is running" >> $LOGFILE if ps ax | grep -v grep | grep $SERVICE > /dev/null then echo "`date` $SERVICE service running, everything is fine" >> $LOGFILE chmod 777 /home/hosangit/captures/*.cap echo "`date` Finished chmod *.cap files" >> $LOGFILE else echo "`date` $SERVICE is not running, restarting $SERVICE" >> $LOGFILE checktshark=`ps ax | grep -v grep | grep -c tshark` if [ $checktshark -le 0 ] then $STARTTSHARK if ps ax | grep -v grep | grep $SERVICE > /dev/null then echo "`date` $SERVICE service is now restarted, everything is OK" >> $LOGFILE else echo "`date` Unable to start $SERVICE, suggest reboot" >> $LOGFILE fi fi echo "`date` Exiting archivecap" >> $LOGFILE fi

Updated the script and now it seems to be working better. #!/bin/sh STARTTSHARK="tshark -i eth0 -n -t ad -b filesize:20000 -b files:1000 -w /home/hosangit/captures/tshark_USTRO.cap" LOGFILE=/home/hosangit/archivecap.log SERVICE='tshark' echo "`date` Validating $SERVICE is running" >> $LOGFILE if ps ax | grep -v grep | grep $SERVICE > /dev/null then echo "`date` $SERVICE service running, everything is fine" >> $LOGFILE chmod 777 /home/hosangit/captures/*.cap echo "`date` Finished chmod *.cap files" >> $LOGFILE else echo "`date` $SERVICE is not running, restarting $SERVICE" >> $LOGFILE checktshark=`ps ax | grep -v grep | grep -c tshark` if [ $checktshark -le 0 ] then $STARTTSHARK if ps ax | grep -v grep | grep $SERVICE > /dev/null then echo "`date` $SERVICE service is now restarted, everything is OK" >> $LOGFILE else echo "`date` Unable to start $SERVICE, suggest reboot" >> $LOGFILE fi fi echo "`date` Exiting archivecap" >> $LOGFILE fi

I am noticing that every hour this script actually restarts tshark instead of just checking to see if it is running. Prior to the cron running I perform a ps -e|grep tshark and I see tshark running. Then on the hour when the cron runs it says it isn't running and then starts it up. So it must have something to do with the check. Maybe the file doesn't exit.

I am noticing that every hour this script actually restarts tshark instead of just checking to see if it is running. Prior to the cron running I perform a ps -e|grep tshark and I see tshark running. Then on the hour when the cron runs it says it isn't running and then starts it up. So it must have something to do with the check. Maybe the file doesn't exit.

I'm not the best at linux but I am someone who can usually figure things out. I am running tshark (instead of tcpdump) so I get better data when analyzed with wireshark. I want to run a check to make sure that tshark continues to run and if not then start it up again and also chmod the .cap files so I can copy them down via FTP so I can analyze them. First lets create the script to check if the service tshark is running and if not, launch it. #!/bin/sh SERVICE='tshark' echo "`date` Validating $SERVICE is running" >> /home/hosangit/archivecap.log if ps ax | grep -v grep | grep $SERVICE > /dev/null then echo "`date` $SERVICE service running, everything is fine" >> /home/hosangit/archivecap.log chmod 777 /home/hosangit/captures/*.cap else echo "`date` $SERVICE is not running!!!!!" >> /home/hosangit/archivecap.log echo "`date` Attempting to start $SERVICE now...." >> /home/hosangit/archivecap.log tshark -i eth0 -n -t ad -b filesize:20000 -b files:1000 -w /home/hosangit/captures/tshark_USTRO.cap & echo `ps -e|grep tshark` >> /home/hosangit/archivecap.log fi Let's save this file as archivecap and make it executable by typing sudo chmod +x /home/hosangit/archivecap Now let's test it by running it (if you are in your home directory hosangit then) ./archivecap If everything works, let's make a cronjob to run this every hour sudo crontab -e 00 * * * * /home/hosangit/archivecap 15 * * * * chmod 777 /home/hosangit/captures/*.* 30 * * * * chmod 777 /home/hosangit/captures/*.* 45 * * * * chmod 777 /home/hosangit/captures/*.* Note: I have to chmod the capture files because I am using a sudo cron so I can launch tshark which means I don't have rights to ftp the files down (I get an error can not open file) so I have to change the permissions on the files so I can ftp them down which seems to work. So I setup a sudo cron to change permissions every 15 minutes.

I'm not the best at linux but I am someone who can usually figure things out. I am running tshark (instead of tcpdump) so I get better data when analyzed with wireshark. I want to run a check to make sure that tshark continues to run and if not then start it up again and also chmod the .cap files so I can copy them down via FTP so I can analyze them. First lets create the script to check if the service tshark is running and if not, launch it. #!/bin/sh SERVICE='tshark' echo "`date` Validating $SERVICE is running" >> /home/hosangit/archivecap.log if ps ax | grep -v grep | grep $SERVICE > /dev/null then echo "`date` $SERVICE service running, everything is fine" >> /home/hosangit/archivecap.log chmod 777 /home/hosangit/captures/*.cap else echo "`date` $SERVICE is not running!!!!!" >> /home/hosangit/archivecap.log echo "`date` Attempting to start $SERVICE now...." >> /home/hosangit/archivecap.log tshark -i eth0 -n -t ad -b filesize:20000 -b files:1000 -w /home/hosangit/captures/tshark_USTRO.cap & echo `ps -e|grep tshark` >> /home/hosangit/archivecap.log fi Let's save this file as archivecap and make it executable by typing sudo chmod +x /home/hosangit/archivecap Now let's test it by running it (if you are in your home directory hosangit then) ./archivecap If everything works, let's make a cronjob to run this every hour sudo crontab -e 00 * * * * /home/hosangit/archivecap 15 * * * * chmod 777 /home/hosangit/captures/*.* 30 * * * * chmod 777 /home/hosangit/captures/*.* 45 * * * * chmod 777 /home/hosangit/captures/*.* Note: I have to chmod the capture files because I am using a sudo cron so I can launch tshark which means I don't have rights to ftp the files down (I get an error can not open file) so I have to change the permissions on the files so I can ftp them down which seems to work. So I setup a sudo cron to change permissions every 15 minutes.

Wireshark is my preferred method of capturing files but it does take more resources (CPU and Memory) then a command line based tool like tcpdump. It would be best to look at the manpage for all the options but I will give you the example below that I use on a regular basis which will continuously create 20Mb files and once 1000 files get created it will begin overwriting files. sudo tcpdump -i eth0 -nnvv -w /home/hosangit/captures/ustrocapture.log -W 1000 -C 20,000,000 Now that you have all these files here are a few tools you can use to analyze the data Wireshark tshark (tshark -i eth0 -b filesize:20000 -b files:1000 -n -t ad -w /home/hosangit/captures/filename.cap) tcpdstat ipsumdump Netdude I will include examples with each of these as I put them together with some screen shots.

Wireshark is my preferred method of capturing files but it does take more resources (CPU and Memory) then a command line based tool like tcpdump. It would be best to look at the manpage for all the options but I will give you the example below that I use on a regular basis which will continuously create 20Mb files and once 1000 files get created it will begin overwriting files. sudo tcpdump -i eth0 -nnvv -w /home/hosangit/captures/ustrocapture.log -W 1000 -C 20,000,000 Now that you have all these files here are a few tools you can use to analyze the data Wireshark tshark (tshark -i eth0 -b filesize:20000 -b files:1000 -n -t ad -w /home/hosangit/captures/filename.cap) tcpdstat ipsumdump Netdude I will include examples with each of these as I put them together with some screen shots.

Black Cherry Mojito 1 oz Bacardi White Rum 1/2 oz black cherry syrup 4 Mint leaves 1 fresh Lime 1/2 oz Simple syrup Soda Water