Archives mensuelles : avril 2010

Wireshark remote sniffing without rpcapd

Wireshark for windows

After reading my article about rpcapd, Peter Calum sent me this message:

I can not use rcapd because of the problem with the random chosen port for the data transfer, because of the FW between our office network and our technical network servers. Our wireshark collecting host is placed here.

But after some work I found another solution which works real fine : Pipe a tcpdump command on the collecting host back trough SSH.
I use plink.exe which comes with PuTTY

Make a command file with the tcpdump command :

tcpdump -s0 -w - -i eth0 not port 22


plink.exe -ssh -pw mypassword root@ -m commands.txt | "c:program fileswiresharkwireshark.exe" -k -i –

when you send the command wireshark starts up and shows the data … voila

Wireshark for linux

And from linux, just run :

ssh root@ "tcpdump -w - host" | wireshark -k -i -

AWStats byte order is not compatible

After migrating awstats data from debian i386 to debian amd64, awstat gives me the following error:

/usr/lib/cgi-bin/ -config=awstats -update
Update for config "/etc/awstats/awstats.conf"
With data in log file "/var/log/apache2/access.log"...
Warning: Error while retrieving hashfile: Byte order is not compatible at 
../../lib/ (autosplit into ../../lib/auto/Storable/ 
line 331, at (eval 5) line 1

Explanation is here : hashes are not stored in the same way by Perl Storable on debian 32 bit and 64 bit.
The workaround is pretty simple: delete all hashes files, awstats will rebuild them

rm /var/lib/awstats/*.hash