for example,i have some chains like:
*filter
:INPUT ACCEPT [368:102354]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [92952:20764374]
is there anyone who can explain what are the meanings of [368:102354]、[0:0] and [92952:20764374]?
They are counters - numbers of packets and bytes which have been passed through chains.
Related
On linux kernerl version 3.2.48.
As an udp server in kernel mod, skb_tail_pointer(skb) is not correct, it point the udp header tail, lossing the payload size. udphdr->len is right.
It is strange.
it is possible that tail and data pointer points to the same location. skb_tail_pointer() return the starting tail address.
Trying to brute force a basic hash of a plaintext password and a hash... But having difficulty with the hashcat commands.
I'm unsure how to specify what my salt is. I've selected that the -m command is (10) and -a 3 for brute force, but whenever I try to load my hash + salt I get "Line-length exception"
My command is:
hashcat64.exe -m 10 hash.txt -a 3
You "specify" the salt by having the correct format for the hashing algorithm.
For -m 10, or md5($pass.$salt), see this example is directly from the hashcat website:
01dfae6e5d4d90d9892622325959afbe:7050461
Note the colon after the password hash, which separates it from the salt. If your file already looks like this, maybe try adding a new line to the end?
Due to a huge number of bots accessing my web server too many times a second, I went into my server and issued the following commands in an attempt to limit connections to a maximum of 25 in 5 seconds. I may need to be more strict, but I'm not because I have one page that is rarely accessed that requests 50 images and that might need 51 connections and I dont want users waiting forever for the remaining 26 pictures.
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 5 --hitcount 26 -j DROP
The first command works after verifying with iptables -nL but the second command immediately returns this message: "iptables: Invalid argument. Run `dmesg' for more information."
As soon as I executed it, I receive the following at the end of it:
Call Trace:
<IRQ> [<ffffffff8112f7ba>] ? __alloc_pages_nodemask+0x74a/0x8d0
[<ffffffff81299270>] ? swiotlb_map_page+0x0/0x100
[<ffffffff8116e282>] ? kmem_getpages+0x62/0x170
[<ffffffff8116ee9a>] ? fallback_alloc+0x1ba/0x270
[<ffffffff8116e8ef>] ? cache_grow+0x2cf/0x320
[<ffffffff8116ec19>] ? ____cache_alloc_node+0x99/0x160
[<ffffffff8116fb9b>] ? kmem_cache_alloc+0x11b/0x190
[<ffffffff8144d058>] ? sk_prot_alloc+0x48/0x1c0
[<ffffffff8144e262>] ? sk_clone+0x22/0x2e0
[<ffffffff8149ff16>] ? inet_csk_clone+0x16/0xd0
[<ffffffff814b97d3>] ? tcp_create_openreq_child+0x23/0x470
[<ffffffff814b6f8d>] ? tcp_v4_syn_recv_sock+0x4d/0x310
[<ffffffff814b9576>] ? tcp_check_req+0x226/0x460
[<ffffffff814b69cb>] ? tcp_v4_do_rcv+0x35b/0x490
[<ffffffffa0322557>] ? ipv4_confirm+0x87/0x1d0 [nf_conntrack_ipv4]
[<ffffffff814b825a>] ? tcp_v4_rcv+0x51a/0x900
[<ffffffff81495270>] ? ip_local_deliver_finish+0x0/0x2d0
[<ffffffff8149534d>] ? ip_local_deliver_finish+0xdd/0x2d0
[<ffffffff814955d8>] ? ip_local_deliver+0x98/0xa0
[<ffffffff81494a9d>] ? ip_rcv_finish+0x12d/0x440
[<ffffffff81495025>] ? ip_rcv+0x275/0x350
[<ffffffff8145c3eb>] ? __netif_receive_skb+0x4ab/0x750
[<ffffffff81460058>] ? netif_receive_skb+0x58/0x60
[<ffffffff81460160>] ? napi_skb_finish+0x50/0x70
[<ffffffff814618c9>] ? napi_gro_receive+0x39/0x50
[<ffffffffa024e267>] ? e1000_receive_skb+0x67/0x110 [e1000e]
[<ffffffffa0250e6f>] ? e1000_clean_rx_irq+0x37f/0x580 [e1000e]
[<ffffffffa025397d>] ? e1000e_poll+0x8d/0x2d0 [e1000e]
[<ffffffff814619e3>] ? net_rx_action+0x103/0x2f0
[<ffffffff8107a5f1>] ? __do_softirq+0xc1/0x1e0
[<ffffffff810e6c60>] ? handle_IRQ_event+0x60/0x170
[<ffffffff8107a64f>] ? __do_softirq+0x11f/0x1e0
[<ffffffff8100c30c>] ? call_softirq+0x1c/0x30
[<ffffffff8100fa75>] ? do_softirq+0x65/0xa0
[<ffffffff8107a4a5>] ? irq_exit+0x85/0x90
[<ffffffff81532525>] ? do_IRQ+0x75/0xf0
[<ffffffff8100b9d3>] ? ret_from_intr+0x0/0x11
<EOI>
The contents before refer to usb devices and other system devices. Can someone tell me how to successfully rate-limit incoming connections without experiencing random errors?
Executing dmesg reveals the cause of the error:
[78482.351825] xt_recent: hitcount (26) is larger than packets to be remembered (20)
This means that the recent module of iptables is limited to remembering just 20 packets. In order to solve this issue you can perform any of the following:
Reduce the value of the hitcount parameter in your iptables rule from 26 to 20 or less.
or
Increase the maximum possible value for the hitcount parameter from its default value of 20 by setting the option ip_pkt_list_tot of the xt_recent kernel module. This can be done by creating an ip_pkt_list_tot.conf file in /etc/modprobe.d/ which contains:
options xt_recent ip_pkt_list_tot=26
Once the file is created, reload the xt_recent kernel module via modprobe -r xt_recent && modprobe xt_recent or reboot the system.
Inspecting iptables's man page leads to the same conclusion:
--hitcount hits
This option must be used in conjunction with one of --rcheck or --update. When used, this will narrow the match to only happen when
the address is in the list and packets had been received greater than or equal to the given value. This option may be used along
with --seconds to create an even narrower match requiring a certain number of hits within a specific time frame. The maximum value
for the hitcount parameter is given by the "ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this value on the
command line will cause the rule to be rejected.
Note that xt_recent is called ipt_recent on some systems.
I have a wireshark capture that contains an RTP multicast stream (plus some other incidental data).
Using a Tshark command like the following, I can produce a CSV of the RTP timestamp compared with the packet capture time:
tshark.exe -r "capture.pcap" -Eseparator=, -Tfields -e rtp.timestamp -e frame.time_epoch -d udp.port==5000,rtp
This decodes the UDP packets as RTP, and successfully prints out the two fields as expected.
Now, my question: The payload of the RTP stream is an MPEG2 Transport Stream, and I also want to print the PCR value (if there is one) alongside the packet and RTP timestamps.
In wireshark, I can see the PCR being decoded correctly, however using a command like the following:
tshark.exe -r "HBO HD CZ.pcap" -Eseparator=,-Tfields -e rtp.timestamp -e frame.time_epoch -e mp2t.af.pcr -d udp.port==5000,mp2t
...only prints out a "1" if there is a PCR oresent, not the actual value. I have also checked the .pcr_flag to confirm that these two are not exchanged, but still I see the same result.
The documentation seems to call mp2t.af.pcr a "Label", does this mean that Tshark is not able to use it as a field? Is there a way to generate a CSV with these values?
(What part of the documentation calls it a "Label"? That's a somewhat odd description of a named field.)
The problem is that the value that Wireshark displays after "base(XXX)*300 + ext(YYY)" is calculated and displayed, but the field itself isn't given an integral type and is instead given a type that doesn't have a value. Arguably, it should be an FT_UINT64 field and should be given a value, so that you can filter on it and can print the value in TShark.
Please file an enhancement request for this on the Wireshark Bugzilla.
? (run-program "ls" '() :output *standard-output*)
money.lisp
ssqHitNum.txt
ssqNum.txt
#<EXTERNAL-PROCESS (ls)[1019] (EXITED : 0) #x3867BACE>
? (run-program "tail ssqHitNum.txt" '() :output *standard-output*)
#<EXTERNAL-PROCESS (tail ssqHitNum.txt)[1020] (EXITED : 71) #x38679E56>
Why canot CCL run "tail ssqHitNum.txt" ?
As detailed in the docs, http://ccl.clozure.com/ccl-documentation.html#Running-Other-Programs-as-Subprocesses, you need to capture the output. This is one of the documented ways:
(with-output-to-string (s)
(ccl:run-program "ls" nil :output s))
The output is now contained in s and you can do whatever you want with it.
Try running it as:
(run-program "tail" '("ssqHitNum.txt") :output *standard-output*)
The second argument to run-program must contain the parameters.