Friday, December 24, 2010

FreeBSD: High Performance Packet Capture

I'm not sure how many of you have heard about this project, however I found FreeBSD ringmap implementation when I was googling and it seems to be interesting to me, I suggest you visit the link and read up the documentation/presentation.

I'm going to try it out whenever possible, right now it is ported to FreeBSD 8.1 stable, you can actually download the source code and test it out yourself.

You can also find a lot of information about high performance packet capture from the link below as well, I usually use the setting that is recommended over there for my FreeBSD sensor setup.

By the way, FreeBSD already has zero copy bpf implemented, thanks to Robert Watson for that since he has done a lot of background works on it. To know more about zero copy bpf you can check the presentation slide here -

Cheers (;])

FreeBSD: Virtual Network Switch

In the previous post, I have mentioned about I'm going to cover Open vSwitch and Vde implementation. However I think it is also interesting to cover how you can setup virtual switch with FreeBSD native system. As we all know bridging is actually software switching, therefore we can make use of bridge interface to achieve this. I will explain the 6 ports virtual network switch setup that is illustrated in the diagram below -

shell>ifconfig bridge0 create

shell>ifconfig tap0 create

shell>ifconfig tap1 create

shell>ifconfig tap2 create

shell>ifconfig tap3 create

shell>ifconfig tap4 create

shell>ifconfig tap5 create

shell>ifconfig bridge0 addm tap0 addm tap1 addm tap3 addm tap4 addm tap5 up

By now you have exact setup like what is shown in the diagram above, to make it permanent/persistent you need to add the following lines to /etc/rc.conf -

cloned_interfaces="bridge0 tap0 tap1 tap2 tap3 tap4 tap5"
ifconfig_bridge0="addm tap0 addm tap1 addm tap2 addm tap3 addm tap4 addm tap5 up"

Also add the following lines to /etc/sysctl.conf -

Once you have everything done, you can check if it is setup properly -

shell>ifconfig bridge0
bridge0: flags=8843 metric 0 mtu 1500
ether 0e:a5:28:73:f9:3b
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: tap5 flags=143
ifmaxaddr 0 port 9 priority 128 path cost 2000000
member: tap4 flags=143
ifmaxaddr 0 port 8 priority 128 path cost 2000000
member: tap3 flags=143
ifmaxaddr 0 port 7 priority 128 path cost 2000000
member: tap2 flags=143
ifmaxaddr 0 port 6 priority 128 path cost 2000000
member: tap1 flags=143
ifmaxaddr 0 port 5 priority 128 path cost 2000000
member: tap0 flags=143
ifmaxaddr 0 port 4 priority 128 path cost 2000000

To undo everything, just run

shell>ifconfig bridge0 deletem tap0 deletem tap1 deletem tap2 deletem tap3 deletem tap4 deletem tap5

shell>ifconfig tap0 destroy

shell>ifconfig tap1 destroy

shell>ifconfig tap2 destroy

shell>ifconfig tap3 destroy

shell>ifconfig tap4 destroy

shell>ifconfig tap5 destroy

The setup is complete, in the next blog post, I will talk about how you can setup similar virtual switch using FreeBSD ng_bridge implementation. Plus releasing the FreeBSD VM for you to try out the setup yourself.

Enjoy (;])

Friday, December 17, 2010

Virtual Network Switch

Many people have talked about hypervisor, and playing around with virtual machines. There are many solutions available today, either open source or commercial one. We have VMware, Xen, Virtualbox, Qemu, KVM, Parallel, Virtual PC, and others that I may not know.

What I would like to discuss here is virtual network switching, many of us have used a piece of hardware call network switch, which allows the end point to talk to each other. For the hardware network switch, we have many companies that are producing it, for example Cisco, Juniper, 3Com, DLink, NetGear and etc.

The virtual machine lives inside single operating system, which means we can have many virtual machines running inside a piece of hardware, so with virtual network switch we also can run many network switches inside a piece of hardware, and using them to connect virtual machines, and get them to talk to each other.

However, how many solutions are there for virtual network switch? As far as I know, not many. Cisco has produced one which is called Cisco Nexus 1000 Series. If you do know any other commercial solution, please comment.

How about open source solution for that? Yes, here are two that I found very interesting, again if you know any other open source solution, please let me know.

- Open vSwitch
- Vde

This is just simple writeup for what I'm going to cover in the future which I will discuss about how you can setup virtual network switch, and leverage on them. Most of my posts will be discussing about both Open vSwitch and Vde while Virtualbox and Qemu will be used to connect to the switch.

Enjoy (;])

Thursday, December 16, 2010

Virtualization Insanity

I have been poking around with virtualization technologies, and this is one of the screenshot I have taken when multiple qemu vm talking to multiple virtualbox vm.

I will cover a lot about this topic soon, for my own note, and also for sharing purpose.

Cheers ;]

Wednesday, December 15, 2010

4REN6 VM Mirror

Thanks to Digital Forensics Framework(DFF) team to provide mirror for 4REN6 vm where you can find here -

I'm still looking for more download mirrors, please let me know if you can host it.

Enjoy ;]

Cloud Technology

I need to tag this post as it contains the list of Cloud solutions so I can check them out whenever necessary -

Cheers ;]

Tuesday, December 14, 2010

Virtualization tools

I mentioned about ovftool in my previous post, and I also found xenconvert here -

By the way another fun tool to mention is imvirt which you can find here -

Enjoy ;]

Good Reference For Linux /dev

I came across this link while playing around with tun/tap device in Linux, and it's worth sharing -

You can use mknod to play around with the /dev on Linux, for tun/tap you can use tunctl or openvpn to create them.

Enjoy ;]

sFlow Resources

I need to keep track of what I have read and tested, currently I'm looking into sFlow stuffs for network visibility. If you are interested about sFlow as well, feel free to check out the links below -

If you have more sFlow stuffs to share, feel free to comment.

Cheers ;]

Wednesday, December 08, 2010

VMware ovftool

I just found out this tool and want to keep track of it, it's best to just post in my blog so that I can search through it next time, basically it is a command-line utility that allows you to import and export OVF packages to and from a wide variety of VMware platform products.

Cheers ;]

Tuesday, November 30, 2010

4REN6 VM Download

Finally ...

Thanks to Niresh for hosting 4REN6 VM. Now you can download the VM via

If you would like to help out by hosting the VM for download, please let me know. I will update the VM once Ubuntu releases version 10.10. If you try out the VM and have any feature request, feel free to email me.

Cheers ;]

Thursday, September 30, 2010

Cisco Regex

Whoever follow my blog or my workshop will know I always mention about regular expressions(regex) as applied knoweldge for security analyst, I came across interesting read about Cisco regex and think it would be good to share with the bunch, there you go -

Have fun and good to read some background history of regex and how Cisco makes use of it.

Cheers ;]

Friday, August 13, 2010

4REN6 VM WalkThrough Guide

As promised in previous post, hereby I release the 4REN6 VM WalkThrough Guide, you can find how to install comprehensive list of forensics tools on Ubuntu 10.04, here's the link for the guide -

Currently you need an account to download it but no problem for quick read, I will upload this guide to my own server later so that you can download it freely(both pdf and odt format in case you want to edit). Maybe wiki is good way to go for documentation collaboration but right now I don't have any plan about it yet.

Feel free to comment and appreciate any valuable inputs! By the way I'm still looking for anyone who is willing to host the 4REN6 VM image.

Cheers (;])

Tuesday, August 03, 2010

Home For 4REN6 VM

Yes I'm still working in IT industry and I'm not dead yet, right now I'm working on both tech and non-tech stuffs so this first paragraph is just ice breaking for me to say something.

I have Virtual Machine Image I have prepared for Digital Forensics Training, and I would like to release it, it has the name - 4REN6 but it doesn't has a home now, the size of the VM is 2.6G so if any of you is interested to host the image, please do contact me via


Please make sure you send to my email correctly as geek zero zero L and not o o L as there are couple of people tried to send me email but fail to do so, I'm sorry about that but I can do nothing about it.

Don't ask me why I'm doing this while there are similar stuffs such as SIFT, Helix, PlainSight or some I may not know, the main reason being I just want to have exercise and to confirm all the stuffs I work on really working, bear in mind I'm doing this alone so please don't shout at me if it breaks. On the other hand, I will release the documentation of how to install everything you need to make forensic desktop using Ubuntu since I have already taken all the notes during the making of this VM and it's just matter of putting them together.

Some sneak peaks -

By the way the wallpaper is designed by myself so it is not really a slick wallpaper we used to have in HeX.

Last but not least, I would like to thank to my blog readers who have encouraged me to continue my blog again, and some other friends along the line. I think this is right thing to do.

Cheers (;])

Friday, May 21, 2010

You can play pacman in

Since I haven't been blogging for a while, lets start with something else -

If you don't know, your old good game is first released on 22th of May 1980, so fast 30 years have passed, anyway enjoy playing pacman!

Cheers ;)

Monday, March 22, 2010

What I do lately

Here's what I do lately, I haven't been blogging for a while but doing some other stuffs, and I figure I still need to keep this blog alive no matter what. I have been poking with

- Splunk - Working on snort/argus module
- Nokia N900 - this is by far the most open system for mobile platform I have seen, and guess what, you can run snort on it with debian stack.
- Gns3 - Way to learn cisco stuffs and WAN setup
- Training - Design new security training course
- HackerSpaceKL - Help where I can

Application I used but keep forgetting at some other times if I haven't used for a while, so it's good to note it down

- recordMyDesktop - gtk-recordMyDesktop
- gnome-screenshot - gnome-screenshot --area
- Funambol - sudo sh bin/funambol start
- xdg-open - xdg-open whatever

Till next time ...

Cheers ;]