tcp/ip – Grey Panthers Savannah

Problems (and a semi-solution) for tcpdump with DAG cards

gpanther — Fri, 13 Aug 2010 01:30:00 +0000

Documenting here for posterity, since I didn’t find much information about it on the ‘net:

Disclaimer: I’m not a network head, just an amateur who dabbles with it when he needs to fix a problem.

Given one Ninjabox (the nickname for packet capture boxes from Endace) with a DAG card (some kind of custom packet capture network card from the same company), you could get the following error when trying to use tcpdump on the dag interface:

tcpdump: dag_attach_stream: Permission denied

The problem seems to be unrelated to your privilege level (you will get this even if you are running as root), but rather to the fact that some other program is/was using the particular interface. You can quickly check this by doing a lsof | grep dag0. In my case it was softflowd. But even after killing the softflowd process, I was getting the same error message. I had to reset the card using the following commands:

/etc/init.d/dag_drivers_load stop
/etc/init.d/dag_drivers_load start

After this tcpdump worked like a charm. Hope that this information will save people from searching around as I had to do.

Off topic minirant: why use custom hardware / software? In my experience they almost never deliver the performance they promise and are hard to troubleshoot because of lack of information.

How to save/restore iptables rules on Ubuntu?

gpanther — Mon, 28 Dec 2009 11:01:00 +0000

This might be an obvious thing to old Linux-heads out there, but it sure caught me off-guard, so there might be some use in spelling it out:

iptables-save and iptables-restore do not actually save/load the iptables rules to/from an external file. You are responsible for redirecting the output of iptables-save to a file and modifying the interface-up scripts such that it is loaded before the given interface comes up.

The Ubuntu documentation tells you how (although, it also was the source of my confusion) – the following commands should be executed as root, so don’t forget to sudo su first:

Save your rules in a file: iptables-save >/etc/iptables.rules
Edit your interfaces file (substitute your own favorite editor here): nano /etc/network/interfaces
Add a pre-up command to restore the saved rule. The fully configured file should look similar to this (the bold line is the one added):
```
auto eth0
iface eth0 inet dhcp
  pre-up iptables-restore < /etc/iptables.rules
```

HTH. And remember – security is a process / mindset, not a state. Always test the configuration changes you’ve done, don’t just assume that everything went ok because you didn’t receive error messages.

What to do if you have many TIME_WAIT connections owned by the system process?

gpanther — Wed, 18 Oct 2006 14:10:00 +0000

If you have a Windows machine which acts as a server and it have many connections per seconds, you can get in the situation when you have a lot of half-open connections owned by the system (PID 0) process. To resolve this if the communication hosts have high speed connections with one another (like a local LAN), you can use the following tweak to reduce the timeout value:

Change the DWORD value (create it if you don’t have one) TcpTimedWaitDelay in HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters to 30. This is in seconds and the accepted range is between 30 and 300 seconds.

Tip taken from the WinGuides site.

The official documentation can be found over at the MS technet site

As a side note: why are all those connections owned by the system process? Because if a process exists, its half open connections are inherited by the system process (probably this is something like the init process under Linux which inherits processes whose parents have exited).