February 26, 2015

Golang parse xml simple example

package main

import (
        "encoding/xml"
        "fmt"
)

func main() {
        type Email struct {
                Where string `xml:",attr"`
                Addr  string
        }
        type Result struct {
                Email   []Email `xml:"email"`
        }
        v := Result{}

        data := `
        <person>
        <email where="home">
        <Addr>gre@example.com</Addr>
        </email>
        <email where='work'>
        <Addr>gre@work.com</Addr>
        </email>
        </person>
        `
        err := xml.Unmarshal([]byte(data), &v)
        if err != nil {
                fmt.Printf("error: %v", err)
                return
        }
        fmt.Printf("v: %#v\n", v)
}

February 23, 2015

Asynchronous PHP port scanner on Windows

The following PHP code scans IP range 192.168.204.200 to 192.168.204.254 port 443 in 5 seconds. It's tested on Windows with PHP 5.3, with php_socket extension enabled. 


<?php
$port = "443";
$timeout = 5;  //timeout in seconds

$write=array();
for ($i=200;$i<255;$i++){
$host="192.168.204.$i";
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP) or die("Unable to create socket\n");
socket_set_nonblock($socket) or die("Unable to set nonblock on socket\n");
$connected=@socket_connect($socket, $host, $port);
if (!$connected) {
$error = socket_last_error($socket);
if ($error != 10035 && $error != SOCKET_EINPROGRESS && $error != SOCKET_EALREADY) {
socket_close($socket);
}else{
$write[]=$socket;
}
}
}

$count=0;
$write0=$write;
$mynil=NULL;
$timeout_us=0;
$endtime=microtime(true)+$timeout;
$address="";
while(true){
$ret=socket_select($mynil,$write,$mynil,$timeout,$timeout_us);
if ($ret==0){
die("Done. Total $count found.\n");
}
if ($ret>0){
foreach ($write as $sock){
socket_getpeername($sock,$address);
echo "$address\n";
$count++;
socket_close($sock);
}
$write=array_diff($write0,$write);
$write0=$write;
$newtimeout=$endtime-microtime(true);
$timeout=floor($newtimeout);
$timeout_us=$newtimeout-$timeout;
}
}

PHP asynchronous host scanner on Windows

The following PHP code scans IP range 192.168.5.1-192.168.5.254 in 3 seconds and returns the reachable hosts.

<?php
$timeout=3;

function ping($host, $timeout = 1) {
/* ICMP ping packet with a pre-calculated checksum */
$package = "\x08\x00\x7d\x4b\x00\x00\x00\x00PingHost";
$socket  = socket_create(AF_INET, SOCK_RAW, 1);
socket_connect($socket, $host, null);

$ts = microtime(true);
socket_send($socket, $package, strLen($package), 0);
return $socket;
}

$read=array();
for ($i=1;$i<255;$i++){
$host="192.168.5.$i";
$socket=ping($host);
$read[]=$socket;
}

$read0=$read;
$mynil=NULL;
$timeout_us=0;
$endtime=microtime(true)+$timeout;
while(true){
$ret=socket_select($read,$mynil,$mynil,$timeout,$timeout_us);
if ($ret==0){
die("Done\n");
}
if ($ret>0){
foreach ($read as $sock){
$address="";
socket_getpeername($sock,$address);
echo "$address\n";
}
$read=array_diff($read0,$read);
$read0=$read;
$newtimeout=$endtime-microtime(true);
$timeout=floor($newtimeout);
$timeout_us=$newtimeout-$timeout;
}
}

February 18, 2015

use stunnel for ssl proxy

stunnel.conf: (this setup one server and one client instance)

debug = 3
#foreground = yes
pid =
[server]
client = no
cert= ./server.pem
accept = 127.0.0.1:443
connect = 127.0.0.1:4434
[client]
client = yes
accept = 127.0.0.1:4434
connect = api.opscode.com:443

February 14, 2015

How to run an X program on a headless Linux server



# apt-get install xvfb

# Xvfb -shmem -screen 0 1280x1024x24

 To test it you can run a following command:

# DISPLAY=:0 xdpyinfo


February 4, 2015

snmp manager for Windows and Mac

In addition to the paid version (iReasonsing mibbrowser) and agentpp's mib explorer, there is a free and open source version called snmpb: http://snmpb.sf.net. I have tried it out for a short time and it worked well for me. It includes walk/get/set/table-view and also an trap receiver.

wireshark display filters

by Joke Snelders

Display Filters

To show just traffic from/to a specific station, use

wlan.addr==00:01:02:03:04:05

or wlan.ta , wlan.ra, wlan.sa, wlan.da

  • Show only the beacon frames:
    wlan.fc.type_subtype == 0x08
  • Show everything except the beacon frames:
    !wlan.fc.type_subtype == 0x08
  • Show only beacon frames and ack frames:
    (wlan.fc.type_subtype == 0x08) || (wlan.fc.type_subtype == 0x1d) 
  • Show everything except the beacon and ack frames
    (!wlan.fc.type_subtype == 0x08) && (!wlan.fc.type_subtype == 0x1d)
You will find more information in the Wireshark User's Guide and in the Wireshark Wiki.

In the Wireshark Display Filter Reference you will find an overview of the field names.
On the website Will Hack For Sushi you can find a cheat sheet, the 802.11 Pocket Reference Guide, with the type codes you can use in combination with wlan.fc.type and wlan.fc.type_subtype.

You can download the 802.11 Pocket Reference Guide here.



Here are some examples of the Display Filter Fields and next you will learn how to use them as a display filter:
Frame typeFilter
Management frameswlan.fc.type eq 0
Control frameswlan.fc.type eq 1
Data frameswlan.fc.type eq 2

Frame subtypeFilter
Association requestwlan.fc.type_subtype eq 0
Association responsewlan.fc.type_subtype eq 1
Probe requestwlan.fc.type_subtype eq 4
Probe responsewlan.fc.type_subtype eq 5
Beaconwlan.fc.type_subtype eq 8
Authenticationwlan.fc.type_subtype eq 11
Deauthenticationwlan.fc.type_subtype eq 12

Display Filters
  • Show beacons:
    wlan.fc.type_subtype eq 8
  • Show everything except the beacons:
    not wlan.fc.type_subtype eq 8
  • Show probe requests or probe responses:
    wlan.fc.type_subtype eq 4 or wlan.fc.type_subtype eq 5
  • Show everything except the beacons, probe requests or probe responses:
    not wlan.fc.type_subtype eq 4 and not wlan.fc.type_subtype eq 5 and not wlan.fc.type_subtype eq 8


Capture filters
When you use a capture filter only the packets that match the filter are dumped  to a file. This will reduce the amount of data to be captured.

Capture filters have a different syntax than display filters.

You enter the capture filters into the Filter field of the Wireshark Capture Options dialog box and hit the Start button.

Here are some examples:

  • Capture only beacon frames:
    wlan[0] == 0x80
  • Capture everything except beacon frames:
    wlan[0] != 0x80
  • Capture only beacon frames and ack frames:
    wlan[0] == 0xd4
  • Capture everything except beacon frames and ack  frames:
    wlan[0] != 0x80 and wlan[0] != 0xd4
You can use a wlan type or a wlan subtype as a capture filter.
Let me give you some capture filter samples.

WLAN type
Valid wlan types are mgt, ctl and data.

Capture filter examples
  • Capture only management frames:
    type mgt
  • Capture everything except control frames:
    not type ctl
  • Capture data frames to/from mac address 04:1e:64:ea:c3:ef
    wlan host 04:1e:64:ea:c3:ef and type data

WLAN subtype
Management frames
Valid subtypes are:
assocreq,  assocresp,  reassocreq,  reassocresp,  probereq, probresp, beacon, atim, disassoc, auth and deauth

Control frames
Valid subtypes are:
ps-poll, rts, cts, ack, cf-end and cf-end-ack

Data frames
Valid subtypes are:
data,  data-cf-ack,  data-cf-poll, data-cf-ack-poll, null, cf-ack, cf-poll, cf-ack-poll,  qos-data,  qos-data-cf-ack,  qos-data-cf-poll, qos-data-cf-ack-poll, qos, qos-cf-poll and qos-cf-ack-poll

Capture filters examples
  • Capture only beacons:
    subtype beacon
  • Capture everything except beacons:
    not subtype beacon
  • Capture beacons, probe requests and probe responses:
    subtype beacon or subtype probereq or subtype proberesp
  • Capture all frames except beacons, probe requests and probe responses:
    not subtype beacon and not subtype probereq and not subtype proberesp
  • Capture beacons, probe requests and probe responses to/from host 00:0c:f6:69:f8:69:
    (wlan host 00:0c:f6:69:f8:69 and subtype beacon) or (wlan host 00:0c:f6:69:f8:69 and subtype probereq) or (wlan host 00:0c:f6:69:f8:69 and subtype proberesp)

    You can also use this capture filter:

    wlan host 00:0c:f6:69:f8:69 and (subtype beacon or subtype probereq or subtype proberesp)
  • Capture probe requests from wlan host 00:0c:f6:69:f8:69 and probe responses from wlan host: 00:24:2c:69:f8:69
    (wlan host 00:0c:f6:69:f8:69 and subtype probereq) or (wlan host 00:24:2c:69:f8:69 and subtype proberesp)
  • Capture beacons, probe requests and probe responses to/from host 00:0c:f6:69:f8:69 or to/from host 00:24:2c:69:f8:69:
    (wlan host 00:0c:f6:69:f8:69 or wlan host 00:24:2c:69:f8:69) and (subtype beacon or subtype probereq or subtype proberesp)
  • Capture all packets from wlan src 00:24:2c:69:f8:69 except beacons, probe requests and probe responses:
    wlan src 00:24:2c:69:f8:69 and not subtype beacon and not subtype probereq and not subtype proberesp
  • Capture all association requests/responses, reassociation requests/responses, disassociation and (de)authentication frames and all eapols:
    (subtype assocreq or subtype assocresp or subtype reassocreq or subtype reassocresp or subtype disassoc or subtype auth or subtype deauth) or (ether proto 0x888e)
  • Capture all eapols, association requests/responses, reassociation requests/responses, disassociation and (de)authentication frames to/from wlan host 00:0c:f6:69:f8:69 or wlan host 00:24:2c:69:f8:69:
    (wlan host 00:0c:f6:69:f8:69 or wlan host 00:24:2c:69:f8:69) and (ether proto 0x888e or subtype assocreq or subtype assocresp or subtype reassocreq or subtype reassocresp or subtype disassoc or subtype auth or subtype deauth)
  • Capture all frames to/from wlan host 00:0c:f6:69:f8:69 or wlan host 00:24:2c:69:f8:69:
    wlan host 00:0c:f6:69:f8:69 or wlan host 00:24:2c:69:f8:69

Interesting links:
Understanding 802.11 Frame Types by Jim Geier
Ubuntu manual
Wireless Communications by Martin Land
WildPackets: Wireless LAN Overview
Packetstan: A blog about packets, tools, and bacon

  
Save the display and capture filters to file for future use
File dfilters
To save the display filters for future use you can modify the file dfilters. 
In Windows XP the file dfilters is located at:
C:\Documents and Settings\<user>\Application Data\Wireshark\dfilters
In Windows 7 or Windows Server 2008 at:
C:\Users\<user>\AppData\Roaming\Wireshark\dfilters
Notes:
  • You have to turn on "Show Hidden Files, Folders, and drives" to see the AppData folder:
    go to Control Panel\All Control Panel Items -> Folder Options -> View -> Show Hidden Files, Folders, and drives.
  • If there is no file dfilters at this location, you can copy and paste the file from C:\Program Files\Wireshark\dfilters to C:\Users\<user>\AppData\Roaming\Wireshark\dfilters.
  • The file dfilters has no extension.
Open the file dfilters with Notepad.
Copy and paste the following text to dfilters:
"WLAN DISPLAY FILTERS" HEADER
"    Beacon Frames" wlan.fc.type_subtype == 0x08
"    No Beacon Frames" !wlan.fc.type_subtype == 0x08
"    Beacon Frames or Ack's" (wlan.fc.type_subtype == 0x08) || (wlan.fc.type_subtype == 0x1d)
"    No Beacon Frames and No Ack" (!wlan.fc.type_subtype == 0x08) && (!wlan.fc.type_subtype == 0x1d)

Make sure to end the file with an empty line, otherwise you won't see the last filter.

File cfilters
Repeat the steps above to modify the file cfilters.

Copy and paste the following text to cfilters:
"WLAN CAPTURE FILTERS" HEADER
"    Capture only Ethernet type EAPOL" ether proto 0x888e
"    Beacon Frames" wlan[0] == 0x80
"    No Beacon Frames" wlan[0] != 0x80
"    Probe Requests" wlan[0] == 0x40
"    No Probe Requests" wlan[0] != 0x40
"    Probe Response" wlan[0] == 0x50
"    No Probe Response" wlan[0] != 0x50
"    Ack" wlan[0] == 0xd4
"    No Ack" wlan[0] != 0xd4
"    CF-End" wlan[0] == 0xe4
"    No CF-End" wlan[0] != 0xe4
"    Clear-to-send" wlan[0] == 0xc4
"    No Clear-to-send" wlan[0] != 0xc4
"    Beacon Frames - Probe Response/Request - Ack" wlan[0] == 0x80 or wlan[0] == 0x50 or wlan[0] == 0x40 or wlan[0] == 0xd4
"    No Beacon Frames - No Probe Response/Request - No Ack" wlan[0] != 0x80 and wlan[0] != 0x50 and wlan[0] != 0x40 and wlan[0] != 0xd4
"    Beacon Frames-Probe Resp/Req-Ack-CF-End-Clear-to-send" wlan[0] == 0x80 or wlan[0] == 0x50 or wlan[0] == 0x40 or wlan[0] == 0xd4 or wlan[0] == 0xe4 or wlan[0] == 0xc4
"    No Beacon Frames-Probe Resp/Req-Ack-CF-End-Clear-to-send" wlan[0] != 0x80 and wlan[0] != 0x50 and wlan[0] != 0x40 and wlan[0] != 0xd4 and wlan[0] != 0xe4 and wlan[0] != 0xc4

After you have edited the files and restarted Wireshark the new filters show up in the "Display Filters" and "Capture Filters" dialog boxes.

The original post: http://www.lovemytool.com/blog/2010/07/wireshark-wireless-display-and-capture-filters-samples-part-2-by-joke-snelders.html