Friday 13 November 2015

Uptime... not recommended

Cisco Internetwork Operating System Software
IOS (tm) C3750 Software (C3750-I9-M), Version 12.2(20)SE4, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Sun 09-Jan-05 00:09 by antonino
Image text-base: 0x00003000, data-base: 0x0099748C

ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.1(14r)EA1a, RELEASE SOFTWARE (fc1)

3750-sw1 uptime is 10 years, 6 weeks, 6 days, 2 minutes
System returned to ROM by power-on
System restarted at 12:16:53 UTC Wed Sep 28 2005


Definitely needs an upgrade at some point....

Friday 7 August 2015

Cisco Packet Captures and Perl Net::Pcap::Easy

So today I once again was dealing with a packet capture taken from a Cisco router using the "monitor capture buffer/monitor capture point" commands. I wanted to build a Perl script to do some basic parsing and sanity checking of the data.

Unfortunately, my simple pcap library of choice in Perl, Net::Pcap::Easy, doesn't like Cisco packet captures:

ERROR Unhandled data link type: RAW at /usr/local/share/perl/5.18.2/Net/Pcap/Easy.pm line 122.

This is very easy to fix, although a bit ugly. The lines of code in Net::Pcap::Easy which handle frames with no Ethernet header is shown below:

        # For non-ethernet data link types, construct a
        # fake ethernet header from the data available.
        my ($ether, $type);
        if ($linktype == Net::Pcap::DLT_EN10MB) {
            $ether = NetPacket::Ethernet->decode($packet);
            $type = $ether->{type};

        } elsif ($linktype == Net::Pcap::DLT_LINUX_SLL) {
            use bytes;
            $type = unpack("n", substr($packet, 2+2+2+8, 2));
            $ether = NetPacket::Ethernet->decode(
                    pack("h24 n", "0" x 24, $type) . substr($packet, 16));
            no bytes;

        } else {
            die "ERROR Unhandled data link type: " .
                Net::Pcap::datalink_val_to_name($linktype);
        }


As you can see, it generates the error for the unhandled packet type. Since I don't have the data at the Ethernet level, my tools wouldn't be using that data, so literally anything will do, as long as it doesn't crash the higher level packet dissectors.

So... I added a really simple extra option to the if statement:

        } elsif ($linktype == Net::Pcap::DLT_RAW) {
                #Steve's attempt to handle RAW
            $ether = NetPacket::Ethernet->decode(pack('H*','0001020304050005040302010800').$packet);
            $type = $ether->{type};



Literally, this adds a header that says data is from 00:01:02:03:04:05 and to 00:05:04:03:02:01, and is of type 0x0800, IP. This fix worked first time, which surprised me a little!

Hope that helps!