decoding ripv2 packets with Packetor

I regularly read Daniel Miessler’s blog and his unsupervised learning newsletter.  He recently mentioned a website called Packetor which is a free online packet analyzer.

I captured some ripv2 packets on my lab network using tcpdump, and filtered for destination address, which is the multicast IP address for ripv2 routers.  Ripv2 routers blast their entire routing table to this multicast address periodically (usually every 30 seconds).  I captured the packets like so:

sudo tcpdump -i eno1 dst -# -XX | tee ripd.txt

This command captures ripv2 packets, numbers them, displays them in hex and ascii, and pipes the output to a text file.  Here is some of the tcpdump output.

 3 21:31:38.536458 IP > igmp v2 report
0x0000: 0100 5e00 0009 e411 5b40 6fa8 0800 46c0 ..^.....[@o...F.
0x0010: 0020 0000 4000 0102 4361 c0a8 0005 e000 ....@...Ca......
0x0020: 0009 9404 0000 1600 09f6 e000 0009 ..............
4 21:31:44.808348 IP > igmp v2 report
0x0000: 0100 5e00 0009 e411 5b40 6fa8 0800 46c0 ..^.....[@o...F.
0x0010: 0020 0000 4000 0102 4361 c0a8 0005 e000 ....@...Ca......
0x0020: 0009 9404 0000 1600 09f6 e000 0009 ..............
5 21:31:55.606022 IP > RIPv2, Response, length: 64
0x0000: 0100 5e00 0009 0014 1c61 b1b4 0800 45c0 ..^......a....E.
0x0010: 005c 0000 0000 0211 1657 c0a8 00c9 e000 .\.......W......
0x0020: 0009 0208 0208 0048 ea3d 0202 0000 0002 .......H.=......
0x0030: 0000 0a0a 0a32 ffff ffff 0000 0000 0000 .....2..........
0x0040: 0001 0002 0000 0a14 1400 ffff ff00 0000 ................
0x0050: 0000 0000 0001 0002 0000 0a32 3206 ffff ...........22...
0x0060: ffff 0000 0000 0000 0002 ..........
6 21:32:21.206294 IP > RIPv2, Response, length: 64
0x0000: 0100 5e00 0009 0014 1c61 b1b4 0800 45c0 ..^......a....E.
0x0010: 005c 0000 0000 0211 1657 c0a8 00c9 e000 .\.......W......
0x0020: 0009 0208 0208 0048 ea3d 0202 0000 0002 .......H.=......
0x0030: 0000 0a0a 0a32 ffff ffff 0000 0000 0000 .....2..........
0x0040: 0001 0002 0000 0a14 1400 ffff ff00 0000 ................
0x0050: 0000 0000 0001 0002 0000 0a32 3206 ffff ...........22...
0x0060: ffff 0000 0000 0000 0002 ..........

This is great and all, but I wanted to see like some human-readable routing table information or something. That is where packetor came in.

I pasted the hex output of a frame from the router at and got much more detailed information about the routing table ->

I’m impressed.   Definitely going into ctrl+d.

capturing and decoding APRS packets with software defined radio

I have a commercial FCC license (general radio operators license) as a requirement for my  current position.  I also have a general class amateur  radio license, KD5UUU, but I’ve never had any equipment.  That is, until I bought a $20 rtl-sdr radio dongle.

It’s pretty amazing what you can do with it.  Recently, I’ve been  capturing and decoding automatic packet reporting system APRS packets.  AX.25 frames are broadcast on 144.39MHz that generally are used to track vehicles by sending their gps coordinates.

There are several high-quality graphical SDR applications out there, my favorite being CubicSDR.

cubicsdr aprs monitoring
CubicSDR monitoring 144.39MHz for APRS packets using RTL-SDR on a VHF Sinclair antenna mounted at 210′

CubicSDR allows for recording live traffic.  I set it up to record a wav in mono at 44.1KHz, and to only record if a signal is breaking the squelch threshold that I set.

Here is a recording of the packets I captured.   Pretty slow day.  Recording for around 10 minutes only captured 8 discernible frames.  I received transmissions from Jackson, TN all the way to Harding University in Searcy, AR (I was located in Wynne, AR).

So what’s in there?  You need to install direwolf to see.  Once you have that installed, go to the directory where the audio is saved and use atest.

atest recording.wav

Here are the decoded frames from the recording above.

You can see that most frames contain gps info.  APRS can also be used for short text messages.  Frame #8 contains one such example ‘Wht RAM 4X4 pickup’.

You can see live and historical  APRS traffic at on a map.  It’s pretty cool to see amateur operators travel across the screen.

An example of an amateur operator’s progress along a stretch of I-40 near Memphis, TN from

pine64 unboxing

I love tinkering with single board computers.  I was an early adopter of the CHIP  (until they tanked) and later the raspberry pi family of SBC’s.

chip single board computer
the now defunct CHIP

I was looking for a cheaper alternative to the pi model 3 ($35) yet more powerful than the pi zero w.  There were several alternatives such as the orangePi, but after reading the forums, it looked like there were some serious overheating problems and poor support from the community.  I came across the pine64 and just had to get one.

I haven’t done much with it yet; just burned debian + mate desktop that a member of the community made available, but so far I am impressed.  I got the base Allwinner quad-core 64-bit ,512MB  memory model for just $15!

pine64 processor info

Somewhat larger than the pi 3, it has 10/100 ethernet, HDMI, 2x USB ports, and lots of GPIO pins.   I can’t wait to get started.

pine64 vs raspberry pi 3b
pine64 vs raspberry pi 3b


perl regex script for IP traffic analysis

Perl is my language of choice for just about everything: shell scripting, windows applications using Tk, Iot, raspberry pi GPIO, and sometimes even web via CGI (an anachronism, I know).  It’s just so easy to do something really powerful with little effort.

I have been using Wireshark since it was ethereal, back in the early 2000’s when I was caught up deep into the Cisco certification racket.  Lately, I prefer the granular control of tcpdump from the command line.  One of Perl’s many great strengths is of course it’s regular expression capabilities.  One night, just for fun, I wanted to analyze my TCP/IP traffic as I was casually browsing some of my usual sites.  I ran the following command and had the output piped to a text file:

sudo tcpdump -i eth2 -n -# dst | tee dump.txt

Pretty simple.  It tells tcpdump to monitor my ethernet interface, not to resolve hostnames, number each packet, record only packets destined for my PC, and write the results in dump.txt.   You immediately see results on the screen:

tcpdump perl
tcpdump results

I wrote a very simple script off the top of my head to scan the results file, dump.txt, for IPv4 addresses, and then tell me the number of packets received from that address, the name of the organization that it originated from, and the country of origin.

The Perl regex that I came up with for finding an IP address in a text file is embarrassing simple, but very effective.

while($_ =~ /(\d+\.\d+\.\d+\.\d+)/g){
}#end while

Does it test for invalid addresses? No.  But after using this for some time,  it has never failed to find every IP address in the output of a tcpdump capture.   My script looks at each IP address and runs a whois command for each unique address.  I then use more regexes to find the organization and countries of origin.  below is a sample output.

This particular capture was very brief, and only contained 7 unique addresses.  This script, however, can work for hundreds or thousands of IP addresses.

I also used this script to parse my auth.log file on one of my internet-facing home servers.  I stupidly had my home server with port 22 open for ssh.  I was constantly  being hit with attempts to login to my server with well known usernames and passwords literally all day long.  (I changed the ssh port later and nearly all of this stopped!)  Most of these login attempts were from foreign countries, no doubt running a script.  I was first alerted to this problem by running

netstat -t

and seeing a lot of tcp connections to strange addresses that I was sure were unsolicited, and that I did not initiate.
Here is the script in it’s entirety.

#!/usr/bin/perl -w
use strict;
$| = 1;

parses tcpdump file for ip addresses

example for creating file:
sudo tcpdump -i eth0 > dump.txt


open FH, "dump.txt" or die $!;

#array for IP addresses
my @ips;
my @uips;            #unique IP address array
my $ipex_f = 0; #flag to test t/f ip exists in array

my $ln = 1;

while($_ =~ /(\d+\.\d+\.\d+\.\d+)/g){
push @ips, $1;
#print "$1\ton line $ln\n";

#reset each line
$ipex_f = 0;
my $dexist = 0;

#see if IP in array, if not push on unique IP array
foreach my $ip (@ips){
if($ip eq $1){
}#end if
}#end foreach

if($dexist == 1){
push @uips, $1;
}#end if
}#end if

}#end while

my $n_ip = @uips;
print "$n_ip IP addresses found......\n-----------------------------------------\n";
foreach my $addr (@uips){
print $addr."\n";
}#end foreach

my $n=1;
foreach my $ipa (@uips){
print "\n$n--------------------------------------------\n";
my $n_occur = 0;

foreach my $n (@ips){
if($n eq $ipa){
}#end if

print "$ipa\t$n_occur \n";
my $whois = `whois $ipa > whois.txt`;
open WT, "whois.txt" or die $!;
if($_ =~ /Organization/i){ print $_; }
if($_ =~ /Country/i){ print $_; }
}#end while
close WT;

}#end foreach

close FH;

Simple, but effective.  You could use this on ANY text document that contains IP addresses.

cisco 2801 & 2621XM load testing with iperf

I just wanted to see what would happen to the CPU of a few Cisco routers if I flooded them with traffic using iperf.  Specifically, I wondered if it was possible to ‘weaponize’ iperf by setting up multiple clients sending tons of traffic across a network to an iperf sink.

I set up an iperf server on a 10.3 FreeBSD machine like so:

iperf -s

freeBSD iperf server

As you can see, the client at sent 444MB in 60 seconds.  What was really interesting to me was the CPU load on the Cisco 2621XM router that is connected to the network……… nearly 90%!!!

From what I understand, the Cisco 2621XM router has an MPC860 processor capable of 88MIPS at 66MHz.  I would posit that is is possible to disable a router such as this with an iperf attack coming from multiple devices.  I mean, only one iperf client nearly maxed it out.

Now for the more powerful Cisco 2801.  CPU utilization hovers near 50%.

Even with multiple clients sending traffic to the iperf server, the CPU utilization never increases.  I assume this is due to the CEF (cisco express forwarding) functionality of the router, but I am not for sure.

replacing static routes with quagga rip v2 on ubuntu

I have been experimenting with the network traffic generation tool iperf in my home networking lab to load test a few Cisco routers.  I was curious what the CPU load would be on the routers with multiple PC’s sending traffic across several routed subnets.  I configured two PC’s on my workstation segment,,  as iperf clients and set up a dual-core Pentium 4 FreeBSD 10.3 machine as the iperf server that spanned  a Cisco 2801 and a Cisco 2621XM like so:

iperf load testing
iperf lab load test setup

The routers use RIP v2 routing protocol to learn all of the configured routes they have consisting of several VLSM 10.X.X.X and 192.168.X.X networks.   I was initially using static routing on my iperf client PC’s to send packets to the iperf sink PC on the network like so:

sudo route add -net gw

This got somewhat tedious after time, having to run this on multiple machines before I could do any testing.  A few years ago, I had done some experimentation with quagga.  Quagga is a software defined networking utility that can change an x-nix PC into a router that can learn IP routes using protocols like RIPv2, OSPF,  BGP,  I used RIPv2 for simplicity.

FYI: this is not a tutorial on installing or configuring quagga or iperf.  There are many tutorials out there for that.

After configuring quagga and the ripd daemon on my iperf client PC’s,  they automatically learned the routes to all the 10 and 192.168 networks in my lab with no manual configuration on my part.

To see the routes my PC learned via ripd + quagga, run the following command:

telnet localhost zebra
show ip route

Here, you can see the routes the PC learned via RIPv2 from the Cisco routers.

The following tcpdump command can view the RIPv2 packets coming from the PC’s neighboring router:

sudo tcpdump -i eth2 udp port 520 -XX -#

Now, each time I turn on my PC’s, they learn the routes in my lab automatically with no configuration on my part.

Next time, I will post the results of the CPU load on the Cisco routers using iperf testing.