Monthly Archives: November 2010

tar system backup&restore


tar cvpzf backup.tgz --exclude=/proc --exclude=/lost+found --exclude=/backup.tgz --exclude=/mnt --exclude=/sys /


tar cvpjf backup.tar.bz2 --exclude=/proc --exclude=/lost+found --exclude=/backup.tar.bz2 --exclude=/mnt --exclude=/sys /


tar xvpfz backup.tgz -C /

tar xvpfj backup.tar.bz2 -C /

mkdir proc
mkdir lost+found
mkdir mnt
mkdir sys

Tar Over SSH

tar -cpzf - ./ | ssh remoteuser@remotehost tar -C /path/to/remote/dir -xpzf -
tar -cpzf - ./ | ssh remoteuser@remotehost "cat > /path/backup.tgz"
ssh remoteuser@remotehost "tar -cpzf - --exclude=/proc --exclude=/lost+found --exclude=/mnt --exclude=/sys /" | tar -C /path -xpzf -

rsync cheatsheet

rsync -az -e ssh --delete $syncfrom $syncto

Copy file from a local computer to a remote server

$ rsync -v -e ssh /www/backup.tar.gz

Copy file from a remote server to a local computer

$ rsync -v -e ssh /tmp

Synchronize a local directory with a remote directory

$ rsync -r -a -v -e "ssh -l jerry" --delete /localwebroot

Synchronize a remote directory with a local directory

$ rsync -r -a -v -e "ssh -l jerry" --delete /local/webroot

Synchronize a local directory with a remote rsync server

$ rsync -r -a -v --delete rsync:// /home/cvs

Mirror a directory between my “old” and “new” web server/ftp
You can mirror a directory between and “new” web server with the command (assuming that ssh keys are set for password less authentication)

$ rsync -zavrR --delete --links --rsh="ssh -l vivek" /home/lighttpd

tshark examples

Packet display rules

tshark -R “ip.addr ==” -r /tmp/capture.cap

“Ethernet address 00:08:15:00:08:15” eth.addr == 00:08:15:00:08:15
“Ethernet type 0×0806 (ARP)” eth.type == 0×0806
“Ethernet broadcast” eth.addr == ff:ff:ff:ff:ff:ff
“No ARP” not arp
“IP only” ip
“IP address” ip.addr ==
“IP address isn't, don't use != for this!” !(ip.addr ==
“IPX only” ipx
“TCP only” tcp
“UDP only” udp
“UDP port isn't 53 (not DNS), don't use != for this!” !(udp.port == 53)
“TCP or UDP port is 80 (HTTP)” tcp.port == 80 || udp.port == 80
HTTP http
“No ARP and no DNS not arp and not (udp.port == 53)
“Non-HTTP and non-SMTP to/from” not (tcp.port == 80) and not (tcp.port == 25) and ip.addr ==

tshark -R “http.response and http.content_type contains image”
-z “proto,colinfo,http.content_length,http.content_length”
-z “proto,colinfo,http.content_type,http.content_type”
-r /tmp/capture.tmp

for creating a “;” separated file with “source IP” “destination IP” and “Destination Port” from all with SYN initiated connections, you can use following sample:
Use the options -T , -E and -e (see man pages for infos)

tshark -nn -r capturefile.dmp -T fields -E separator=’;’ -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport ‘(tcp.flags.syn == 1 and tcp.flags.ack == 0)’

Display http response codes:

tshark -o “tcp.desegment_tcp_streams:TRUE” -i eth0 -R “http.response” -T fields -e http.response.code

Display Top 10 URLs

tshark -r sample1.cap -R http.request -T fields -e -e http.request.uri |
sed -e ‘s/?.*$//’ | sed -e ‘s#^(.*)t(.*)$#http://12#’ | sort | uniq -c | sort -rn | head

Display Source IP and MAC Address. (coma sep) tshark -i eth0 -nn -e ip.src -e eth.src -Tfields -E separator=, -R ip Display Target IP and Mac Address (coma sep)

tshark -i eth0 -nn -e ip.dst -e eth.dst -Tfields -E separator=, -R ip

Soure and Target IP

tshark -i eth0 -nn -e ip.src -e ip.dst -Tfields -E separator=, -R ip

Source and Target IPv6

tshark -i eth0 -nn -e ip.dst -e ip.dst -Tfields -E separator=, -R ip

Source IP and DNS Query

tshark -i eth0 -nn -e ip.src -e -E separator=”;” -T fields port 53

Answer Seq Numbers
for a test , if the Device use random answer seq number, i need the Seq-Number of the SYN-ACK packet.
the -o options is requierd for oversteering the wireshark config and make sure, we have the absolute Seq Nr, and not the relative Seq Nr.

tshark -nn -i eth0 -e tcp.seq -T fields -o tcp.relative_sequence_numbers:FALSE host and tcp[13]=0x12

You can define the output of tshark : And here a Samples:
display only the Source and the Destination IP

tshark -o column.format:'”Source”, “%s”,”Destination”, “%d”‘ -Ttext


tshark -i eth0 -c 100 -f “udp dst port 137″ -T fields -t ad -e -e frame.time -e ip.src -e ip.dst -e -e nbns.flags.opcode -e nbns.flags.rcode

tshark -r samples.cap -o column.format:'”No.”, “%m”, “Info”, “%i”, “Len”, “%Cus:tcp.len”‘

tshark -r samples.cap -Ttext > outfile.txt

tshark -r samples.cap -o column.format:'”Source”, “%s”,”Destination”, “%d”‘ -Ttext

tshark -r samples.cap -R http.response.code==200 -T fiels -e http.content_type

tshark -r samples.cap -R dns.cflags.response==0

Statistics from a capture file
And here a Samples:

tshark -r samples.cap -qz io,stat,1,0,sum(tcp.analysis.retransmission)”ip.addr==″ > stat.txt

tshark -r samples.cap -qz io,stat,120,”ip.addr== && tcp”,”COUNT(tcp.analysis.retransmission)ip.addr== && tcp.analysis.retransmission”

tshark -r samples.cap -q -z io,stat,30,”COUNT(tcp.analysis.retransmission) tcp.analysis.retransmission”

tshark -r samples.cap -q -z io,stat,30,

tshark -r samples.cap -q -z io,stat,5,”COUNT(tcp.analysis.retransmission) tcp.analysis.retransmission”,”COUNT(tcp.analysis.duplicate_ack)tcp.analysis.duplicate_ack”,
“COUNT(tcp.analysis.lost_segment) tcp.analysis.lost_segment”,
“COUNT(tcp.analysis.fast_retransmission) tcp.analysis.fast_retransmission”

tshark -r samples.cap -q -z io,stat,5,”MIN(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt”,

tshark -r samples.cap -q -z ip_hosts,tree

tshark -r samples.cap -q -z conv,tcp

tshark -r samples.cap -q -z ptype,tree

MySQL snooping

tshark -i eth0 -aduration:60 -d tcp.port==3306,mysql -T fields -e mysql.query 'port 3306'

Logging all the queries with MySQL

1. Capturing the MySQL traffic
tcpdump -i eth0 port 3306 -s 1500 -w tcpdump.out
2. Extracting the queries
tshark -r tcpdump.out -d tcp.port==3306,mysql -T fields -e mysql.query > query_log.out
remove the blank lines and redundant SQL:
cat query_log.out | grep -v "^$" | grep -v "^commit" | grep -v "^SET autocommit" | grep -v "^rollback" > query_log_no_blank.out

tcpdump cheatsheet
посмотреть трафик на интерфейсе:

tcpdump -i fxp1

посмотреть трафик одного хоста:

tcpdump host

посмотреть трафик на порте:

tcpdump src port 80

посмотреть IP трафик на хост:

tcpdump ip host

осмотреть ARP трафик на хост:

tcpdump arp host

посмотреть RARP трафик на хост:

tcpdump rarp host

посмотреть трафик, кроме хоста unixserver:

tcpdump not host unixserver

посмотреть трафик на server1 и server2

tcpdump host server1 or host server2

посмотреть содержимое пакетов на интерфейсе tun0 на хост

tcpdump -X -i tun0 host

подсмотреть номера и пароли к icq

tcpdump -X -i fxp1 port aol

посмотреть содержимое пакетов на интерфейсе tun0 на хост, при этом прочитать из каждого пакета по 1500 байт и не преобразовывать IP в имя хоста

tcpdump -X -s 1500 -n -i tun0 host