During an upgrade cycle of my desktop computer, when I was prompted to reboot,
the computer would not reboot. It seems something corrupted the booting portion of the drive.
Yes, I know I'm supposed to back stuff up before performing changes, but in this case I didn't.
So... I needed to find a way to recover information off of a raid 10 drive array. I had two sets of two mirrored drives in a striped configuration: Raid 10.
As they were controlled by an Adaptec controllor card, I thought Adaptec might help. They were
unable to offer direct assistance, but they did suggest that the sofware offered by
Runtime Software would be of use.
I used Runtime Software's tools to examine my drives, and used their paid service to determine the drive configuration.
The response back from their paid service indicated that my drives were beyond recovery. Perhaps
the settings I used were incorrect for the data capture their software provided to their 'human
examiners'. But I would have thought they'd have an idea of what would be correct.
After receiving that bit of bad news, I decided to try data recovery myself. I licensed their
tools and gave it a try. Long story short, I was able to recover everything I needed.
The following video shows the steps I used to recover data from a drive
array controlled with an Adaptec AH2910SA Drive controller controlling four drives in a Raid 10
configuration.
When I saw this page, I had to take a break. This is a true hack. In the best sense of the
word.
Sitting in a walled garden, and only pings get out? Try this on for size:
ICMPTX (IP-over-ICMP).
By setting up a server side and a client side, someone has found a way to tunnel
IP traffic over ICMP packets, that is, when all is blocked, there is still a way out. Wow.
On the Flow-Tools email list, Craig Weinhold published a cheat sheet for how to treat IP Packet ToS (Type of Service) bits:
**** Pre-1998
The IPv4 ToS byte was part of the original 1981 definition of Internet Protocol
in RFC 791, which specified a 3-bit precedence value and 3-bits of ToS attributes.
In the tables below, "tos" values refer to the entire byte.
In 1992, RFC 1349 added a fourth ToS attribute.
0x80 0x40 0x20 0x10 0x08 0x04 0x02 0x01
+-----+-----+-----+-----+-----+-----+-----+-----+
| PRECEDENCE | TOS attributes | - |
+-----+-----+-----+-----+-----+-----+-----+-----+
PRECEDENCE TOS attributes
name dec tos bin name dec tos bin
network 7 224 111 min-delay 8 16 1000
internet 6 192 110 max-throughput 4 8 0100
critical 5 160 101 max-reliability 2 4 0010
flash-override 4 128 100 min-monetary-cost 1 2 0001
flash 3 96 011 normal 0 0 0000
immediate 2 64 010
priority 1 32 001
routine 0 0 000
**** Post-1998
RFC 2474 reworked the ToS as a 6-bit Differentiated Services Code Point (DSCP)
and, soon after, RFC 3168 allocated the lowest two bits for
Error Congestion Notification (ECN,
an IP analogy of frame-relay FECN and ATM EFCI).
0x80 0x40 0x20 0x10 0x08 0x04 0x02 0x01
+-----+-----+-----+-----+-----+-----+-----+-----+
| DSCP | ECN |
+-----+-----+-----+-----+-----+-----+-----+-----+
DSCP
name dec tos binary name dec tos binary
AF11 10 40 001010 CS1 8 32 001000
AF12 12 48 001100 CS2 16 64 010000
AF13 14 56 001110 CS3 24 96 011000
AF21 18 72 010010 CS4 32 128 100000
AF22 20 80 010100 CS5 40 160 101000
AF23 22 88 010110 CS6 48 192 110000
AF31 26 104 011010 CS7 56 224 111000
AF32 28 112 011100 EF 46 184 101110
AF33 30 120 011110 default 0 0 000000
AF41 34 136 100010
AF42 36 144 100100 AF = assured forwarding
AF43 38 152 100110 EF = expedited forwarding
CS = class selector
ECN (unrelated to QoS)
00 Not-ECT Not ECN-Capable Transport
01 ECT(0) ECN-Capable Transport
10 ECT(1) ECN-Capable Transport
11 CE Congestion Experienced
**** Notes on interpreting the ToS byte
The two definitions are complimentary for the upper 3-bits. This is good,
since those three bits are often copied to/from the 3-bit
class-of-service (CoS) field of layer-2 802.1p frames and
the 3-bit experimental (EXP) field of MPLS frames.
Bits 3-5, however, are fairly incompatible..
Thus, it's important not to oversimplify precedence/DSCP as a simple pecking order. In reality, each unique precedence/DSCP value conveys a packet's requirements for throughput, latency, and packet loss, three traits that are somewhat at odds with each other. And, any value can be assigned to any organizationally-unique purposes. For example,
Packets with precedence 5 and/or DSCP EF are often serviced by priority queues, so they may delay packets with higher precedence/DSCP values.
Within each AF level (e.g., AF2x includes AF21, AF22, and AF23), the higher values indicate a higher tolerance to packet loss. I.e., a congested interface should drop AF22 packets earlier than AF21 packets. In Cisco IOS, this behavior is implemented with DiffServ-complaint WRED ('random-detect dscp' on a class-map).
Any DSCP value under CS6 can be assigned for any organizationally-unique use. For example, Precedence 1/DSCP CS1 is often assigned for use as a less-than-best-effort class called scavenger. To successfully implement the scavenger class, all network devices must agree to treat CS1 traffic worse than Precedence 0/DSCP default.
ECN (RFC 3168) is an emerging issue for traditional netflow collection
and processing. The jist of ECN is that an intermediary router can,
after sensing congestion, change the lower two bits of ToS to indicate
congestion so that the hosts can slow themselves down. It's a L3
implementation of frame-relay FECN, essentially. Unfortunately, since
the ToS field changes packet-to-packet and hop-to-hop, it also disrupts
the traditional netflow 7-tuplet key (protocol, src/dst IP, src/dst port,
ToS, input interface).
If you can, exclude ToS as a flow key on your netflow sources. Recent
cisco IOS versions let you do this with flexible netflow while still
exporting netflow v5.
Traceroute, in a nutshell, is about iteratively sending packets to the network
with specific TTL (Time To Live) settings. The first round of packets uses a TTL of 1. The second
uses a value of 2. The values are adjusted upwards each iteration until the destination responds,
or the maximum number of hops has been evaluated.
The traditional form of pinging is to send out an ICMP type 8 packet. There are other forms:
Windows 'tracert' uses ICMP type 8 with incrementing TTL
Unix 'traceroute' uses UDP packets starting port 33434 through
(33434 + - 1)
TcpTraceRoute which
uses TCP syn packets to penetrate firewalls and NAT systems
Here are a few simple tools useful on a Windows' desktop for monitoring basic network stuff:
TCPTraceRoute: mBy sending out TCP SYN packets instead of UDP or ICMP ECHO packets, tcptraceroute is able to bypass the most common firewall filters.
LFT: Layer Four Traceroute which is mostly non Windows based tool, but partially works in Cygwin.
Ping Plotter: helps you pinpoint where the problems are in an intuitive graphical way, and to continue monitoring your connection long-term to further identify issues.
A customer was performing penetration testing on their network. Once the test results
were in, among other things, they had a couple questions about responses to certain addresses
on their external subnet range.
As a background, every subnet with a network mask of /30 or shorter has three address groups:
first address: the zeros address aka network address
middle addresses: usuable addresses
last address: the ones address aka broadcast address
For explanation purposes, imagine a router with two interfaces:
interface 1, the ingress interface, with address range of 10.0.0.0/30 and interface address of 10.0.0.1.
interface 2, the egress interface, with address range of 10.0.0.4/30 and interface address of 10.0.0.5.
For some network devices, for a packet arriving on the ingress interface destined for the broadcast address
of the egress interface (10.0.0.7), the network device will forward the packet, effectively broadcasting to
all devices located in the subnet of the egress interfaces. When many packets arrive in this manner,
this is known as a
Smurf Attack.
Current Cisco devices, by default, no longer forward packets to broadcast addresses, but may respond to these
packets. The following command is applied by default to prevent forwarding of packets to broadcast addresses:
no ip directed-broadcast
At the other end of the subnet, for the network address, I originally thought this was a quiescent address. However,
I did find that the an ICMP echo request arriving on the ingress interface destined to the network address (10.0.0.4) of the
egress interface will generate an echo-reply with the ingress ip address (10.0.0.1) as the source address.
It appears that in days gone past, that for BSD Unix boxes and various other equipment, the network address was *the*
broadcast address. This is why some configurations allow one to configure the address of the broadcast address setting,
whether it be the high end or low end of a subnet. (thanx to Steinar Haug for this info).
rfc 1122 formalizes this broadcast address
configuration (thanx to an inciteful responder named Lee):
3.3.6 Broadcasts
There is a class of hosts* that use non-standard broadcast
address forms, substituting 0 for -1. All hosts SHOULD
recognize and accept any of these non-standard broadcast
addresses as the destination address of an incoming datagram.
A host MAY optionally have a configuration option to choose the
0 or the -1 form of broadcast address, for each physical
interface, but this option SHOULD default to the standard (-1)
form.
The host will respond with the echo-reply because of
rfc 791:
3.2.1.3 Addressing: RFC-791 Section 3.2
... An incoming datagram is destined
for the host if the datagram's destination address field is:
(1) (one of) the host's IP address(es); or
(2) an IP broadcast address valid for the connected
network; or
From a Cisco router perspective, the default use of the command 'no ip directed-broadcast', allows one
to use a /31 subnet (two ip addresses) for point to point links instead of the usual /30 subnet (four ip addresses).
One can effectively address twice as many links with the same number of addresses. This feature is mentioned in
Cisco's Feature Guide:
Using 31-Bit Prefixes on IPv4 Point-to-Point Links.
Coincidently, while I was writing this article, I received a note that there are a couple of TCP Security Assessment
documents available:
These documents go into the details of the bits and bytes making up the TCP protocol, analyzing the reasons for the bits,
how they can be misused, and suggesting counter-measures when used illegally. Theres is a detailed bibilography with
active links to related papers and documents.
An idea of the scope of the document can be seen through its first level table of content:
I'm sure the VMWare people have hidden this on purpose... just so you think you are forced into
installing command line utilities or buying licensing for their management products.
Anyway, I have a couple of ESXi 3.5 U4 servers installed. I created a Virtual Machine on one server, then
used the SSH scp command to copy the Virtual Machine from one host to the other. That is all well and good, but
how do you get it to show in inventory?
The answer to that is to run the VMWare Infrastructure Client. That is no problem. The trick is to click on
the Summary tab while in Inventory mode, and right click on the datastore. One can then browse the datastore.
And one can right click on a .vmx file to register the Virtual Machine in Inventory. That same menu allows one
to upload and download images from a local computer.
I think it would have been more intuitively obvious to have the datastore(s) listed in the left hand tree,
but I guess that would make too much sense.
Some random notes on ESXi 3.5 U4:
One needs to purchase at least the foundation license in order to get the remote command line tools to
work
When in the ESXi console, one can use vmkfstools to create and resize virtual drives. The GUI does not
allow the 'thin' command, but the vmkfstools command does. 'thin' is the ability to indicate what the overall
size is, but not to preallocate all the space necessary all at once.
When using an Asterisk based server in VMWare, allocate at least 500MHz to the server in order to maintain
non slipping time. More
VMWare Timekeeping Best Practices
Veeam FastSCP: Veeam FastSCP-
VMware ESX/ESXi managment tool
FastSCP provides a fast, secure and easy way to manage files and bulk copy VMs across your VMware ESX
environment.
I recently acquired a couple of decently configured HP DL360 G6 servers. Each boots VMWare directly from an
embedded USB Token. Now that is a server that works right out of the box. And it did.
It is an excellent ability to be able to use HP's management tools to view the console remotely. I've not
laid hands on the server, but I have almost complete visibility into the unit. There are about 20 different
temperature sensors, I can monitor and cap power usage, evaluate processor utilization, and much more. Remote
access to CDRoms is also available through a virtual media Java mechanism. I'm using that now to upgrade to U4
of ESXi.
HP has their own special image and after a bunch of searching, I found it at
Software Depot Home.
I had tried the U4 version from VMWare's site, but it wouldn't install itself in the correct spot. That is
when I figured that HP must have a special version. Don't try to install HP's v8.20 of management tools either.
They are frought with installation problems.
Disclaimer: This site may include market analysis. All ideas, opinions, and/or
forecasts, expressed or implied herein, are for informational purposes only and should not
be construed as a recommendation to invest, trade, and/or speculate in the markets. Any
investments, trades, and/or speculations made in light of the ideas, opinions, and/or
forecasts, expressed or implied herein, are committed at your own risk, financial or
otherwise.
