Archive for the ‘Network Info’ Category
ChatGPT-o1 – how to analyze Wireshark Packet Captures with AI
Samstag, Mai 10th, 2025FRITZ!Box Packet Sniffer – Netzwerk Traffic direkt mit der FRITZ!Box aufzeichnen und mit Wireshark online auswerten
Samstag, Mai 10th, 2025
Dazu muss man einfach nur die Adresse http://fritz.box/html/capture.html in einem Browser öffnen – einloggen und den Mitschnitt auf der gewünschten Netzwerkschnittstelle starten … oder eben online mittels dem u.a. Linux Script plus Wireshark
root@js-FUTRO-S740:~# apt-get install wireshark
js@js-FUTRO-S740:~$ vi FritzBoxPacketSniffer
#!/bin/bash
set -x
# This is the address of the router
FRITZIP=http://IP@
# This is the WAN interface
IFACE=“2-0″
# Lan Interface
#IFACE=“1-lan“
# If you use password-only authentication use ‚dslf-config‘ as username.
FRITZUSER=<user>
FRITZPWD=<password>
SIDFILE=“/tmp/fritz.sid“
if [ -z „$FRITZPWD“ ] || [ -z „$FRITZUSER“ ] ; then echo „Username/Password empty. Usage: $0 <username> <password>“ ; exit 1; fi
echo „Trying to login into $FRITZIP as user $FRITZUSER“
if [ ! -f $SIDFILE ]; then
touch $SIDFILE
fi
SID=$(cat $SIDFILE)
# Request challenge token from Fritz!Box
CHALLENGE=$(curl -k -s $FRITZIP/login_sid.lua | grep -o „<Challenge>[a-z0-9]\{8\}“ | cut -d‘>‘ -f 2)
# Very proprieatry way of AVM: Create a authentication token by hashing challenge token with password
HASH=$(perl -MPOSIX -e ‚
use Digest::MD5 „md5_hex“;
my $ch_Pw = „$ARGV[0]-$ARGV[1]“;
$ch_Pw =~ s/(.)/$1 . chr(0)/eg;
my $md5 = lc(md5_hex($ch_Pw));
print $md5;
‚ — „$CHALLENGE“ „$FRITZPWD“)
curl -k -s „$FRITZIP/login_sid.lua“ -d „response=$CHALLENGE-$HASH“ -d ‚username=’${FRITZUSER} | grep -o „<SID>[a-z0-9]\{16\}“ | cut -d‘>‘ -f 2 > $SIDFILE
SID=$(cat $SIDFILE)
# Check for successfull authentification
if [[ $SID =~ ^0+$ ]] ; then echo „Login failed. Did you create & use explicit Fritz!Box users?“ ; exit 1 ; fi
echo „Capturing traffic on Fritz!Box interface $IFACE …“ 1>&2
# How to use wireshark
wireshark -k -i <(wget –no-check-certificate -qO- $FRITZIP/cgi-bin/capture_notimeout?ifaceorminor=$IFACE\&snaplen=\&capture=Start\&sid=$SID)
AVM FRITZ!Tech – das brauchst man für den FRITZ! Smart Energy 250
Donnerstag, Mai 8th, 2025Understanding Snort Rules – the FritzBox sends ICMPv6 packets to distribute information about the network such as router announcements used for automatic address configuration (SLAAC) and DNS server discovery specifically ICMPv6 type 134 packets as routing advertisement with multicast address FF02:: are used to announce that the FritzBox is a router and provide information about available network prefixes and DNS servers
Mittwoch, Mai 7th, 202505/07-20:01:05.468282 [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {IPV6-ICMP} :: -> ff02::1:ff02:13ed
root@rpi-iot-jsho-snort-02:~# vi .swatchrc
ignore /ff02::/
watchfor /Priority\: [1-3]/
echo=normal
mail=js@dpsolution.de,subject=[SNORT] Priority [1-3] Alert
Snort 2.9.15.1 – network intrusion detection system (NIDS) installation & config & logging & rule writing
Mittwoch, Mai 7th, 2025
root@rpi-iot-jsho-snort-02:~# apt-get install snort
root@rpi-iot-jsho-snort-02:~# snort -V
,,_ -*> Snort! <*-
o“ )~ Version 2.9.15.1 GRE (Build 15125)
““ By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.10.3 (with TPACKET_V3)
Using PCRE version: 8.39 2016-06-14
Using ZLIB version: 1.2.13
root@rpi-iot-jsho-snort-02:~#
root@rpi-iot-jsho-snort-02:~# systemctl status snort
● snort.service – LSB: Lightweight network intrusion detection system
Loaded: loaded (/etc/init.d/snort; generated)
Active: active (running) since Mon 2025-04-28 20:02:47 CEST; 21min ago
Docs: man:systemd-sysv-generator(8)
Tasks: 2 (limit: 383)
CPU: 11.421s
CGroup: /system.slice/snort.service
└─1570 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort –pid-path /run/snort/ -c /etc/snort/snort.conf -S „\“HOME_N>
Apr 28 20:02:47 rpi-iot-jsho-snort-02 snort[1570]: Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
Apr 28 20:02:47 rpi-iot-jsho-snort-02 snort[1570]: Preprocessor Object: SF_DNS Version 1.1 <Build 4>
Apr 28 20:02:47 rpi-iot-jsho-snort-02 snort[1570]: Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
Apr 28 20:02:47 rpi-iot-jsho-snort-02 snort[1570]: Preprocessor Object: SF_SDF Version 1.1 <Build 1>
Apr 28 20:02:47 rpi-iot-jsho-snort-02 snort[1570]: Preprocessor Object: SF_IMAP Version 1.0 <Build 1>
Apr 28 20:02:47 rpi-iot-jsho-snort-02 snort[1570]: Preprocessor Object: SF_POP Version 1.0 <Build 1>
Apr 28 20:02:47 rpi-iot-jsho-snort-02 snort[1570]: Preprocessor Object: SF_SSH Version 1.1 <Build 3>
Apr 28 20:02:47 rpi-iot-jsho-snort-02 snort[1570]: Preprocessor Object: SF_GTP Version 1.1 <Build 1>
Apr 28 20:02:47 rpi-iot-jsho-snort-02 snort[1570]: Preprocessor Object: appid Version 1.1 <Build 5>
Apr 28 20:02:47 rpi-iot-jsho-snort-02 snort[1570]: Commencing packet processing (pid=1570)
root@rpi-iot-jsho-snort-02:~#
root@rpi-iot-jsho-snort-02:~# netstat -i
Kernel Interface table
Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 22633 0 56 0 4279 0 0 0 BMRU
lo 65536 38 0 0 0 38 0 0 0 LRU
root@rpi-iot-jsho-snort-02:~# ip link set eth0 promisc on
root@rpi-iot-jsho-snort-02:~# netstat -i
Kernel Interface table
Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 22873 0 56 0 4330 0 0 0 BMPRU
lo 65536 38 0 0 0 38 0 0 0 LRU
The flag will be updated to BMPRU
Flag details are as follows
B flag is for broadcast
M flag is for multicast
P flag is for promisc mode
R is for running
U is for up
root@rpi-iot-jsho-snort-02:~#
root@rpi-iot-jsho-snort-02:/etc/network# dmesg | tail -n 4
[ 87.654916] Bluetooth: HCI socket layer initialized
[ 87.654962] Bluetooth: L2CAP socket layer initialized
[ 87.655034] Bluetooth: SCO socket layer initialized
[ 108.558206] smsc95xx 1-1.1:1.0 eth0: entered promiscuous mode
Understanding Snort Rules – ‚alert udp any any -> any 67‘ Message „Possible DHCP server“ will alert if a TCP packet is sent from any source to any destination on port 67 potentially indicating a DHCP server this rule can be used to identify and alert on potential DHCP server activity on the network
Mittwoch, Mai 7th, 202505/07-10:15:17.565258 [**] [1:527:8] BAD-TRAFFIC same SRC/DST [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 0.0.0.0:68 -> 255.255.255.255:67
root@rpi-iot-jsho-snort-02:~# vi .swatchrc
ignore /0.0.0.0:68 -> 255.255.255.255:67/
watchfor /Priority\: [1-3]/
echo=normal
mail=js@dpsolution.de,subject=[SNORT] Priority [1-3] Alert
Understanding Snort Rules – the IP@ 239.255.255.250 is a multicast address and is used in conjunction with the Simple Service Discovery Protocol (SSDP) and SSDP is a protocol used to search for Universal Plug and Play (UPnP) devices in a network
Dienstag, Mai 6th, 202505/06-17:58:18.513849 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 192.168.1.167:1900 -> 239.255.255.250:1900
05/07-10:29:42.163512 [**] [1:1384:8] MISC UPnP malformed advertisement [**] [Classification: Misc Attack] [Priority: 2] {UDP} 2003:d4:c71d:ba00:3e37:12ff:fe55:1452:1900 -> ff0e::c:1900
root@rpi-iot-jsho-snort-02:~# vi .swatchrc
ignore /:1900$/
watchfor /Priority\: [1-3]/
echo=normal
mail=js@dpsolution.de,subject=[SNORT] Priority [1-3] Alert
1blu VPS Linux – einen Reverse Proxy mittels Nginx Proxy Manager einrichten
Montag, Mai 5th, 2025Pi-hole v6.0.6 FTL v6.1 Web interface v6.1 – reacts very slowly after the update to 6.x plus extremely high CPU usage
Sonntag, Mai 4th, 2025
Pi-hole – MAXDBDAYS controls how many days of query data is stored in the long term database setting it to 0 disables logging effectively removing all query data. The default value is 365 days meaning queries older than a year are automatically removed
root@rpi-iot-jsho-pihole:~#
root@rpi-iot-jsho-pihole:~# service pihole-FTL stop
root@rpi-iot-jsho-pihole:~# rm /etc/pihole/pihole-FTL.db
root@rpi-iot-jsho-pihole:~# service pihole-FTL start
root@rpi-iot-jsho-pihole:~# pihole -up
[✓] Supported OS detected
[✓] Update local cache of available packages
[✓] Building dependency package pihole-meta.deb
[✓] Installing Pi-hole dependency package
[i] Checking for updates…
[i] Pi-hole Core: up to date
[i] Web Interface: up to date
[i] FTL: up to date
[✓] Everything is up to date!
root@rpi-iot-jsho-pihole:~#
root@rpi-iot-jsho-pihole:~# vi /etc/pihole/pihole-FTL.conf
MAXDBDAYS=8
root@rpi-iot-jsho-pihole:~# service pihole-FTL restart
root@rpi-iot-jsho-pihole:~#
AVM FRITZ!Tech – Push Benachrichtigung bei Abwesenheit mit dem FRITZ!Smart Control 350
Mittwoch, April 30th, 2025Snort 3 – the renowned network Intrusion Detection System (IDS)
Samstag, April 26th, 2025Zabbix 7.2.1 – quick overview of Zabbix interface and its main features
Freitag, April 25th, 2025DeepSeek AI – and analyzing Wireshark Packet Captures with AI
Freitag, April 25th, 2025AVM FRITZ!Tech – alles rund um Portfreigaben
Donnerstag, April 24th, 2025Pi-hole v6.0.6 FTL v6.1 Web interface v6.1 – released
Dienstag, April 22nd, 2025