Tag: ethereal

2.6.7-8 default window scaling settings

My new Fedora installation was playing up with certain web sites resulting in *very* slow download (I could see the words drawing on my screen one by one). A ethereal dump showed a nice big window size, but max 120 byte packets and an ack for each one!

Well it turns out since about kernel 2.6.7, the default tcp_window_scale setting has been 7. The problem is, as was with ECN, there are lots of broken routers out there which break window scaling (they strip the TCP options, which is totally against RFC, and common sense). So the other end doesn’t know you’re scaling, so it’ll think you set (or you think it set) a tiny ikle window size.

Anyway I fixed it for now with a ‘net.ipv4.tcp_default_win_scale = 0’ in my /etc/sysctl.conf, but there is a new kernel patch floating around which seems to be a bit cleverer and will be due in the next kernel.

4/9/2004 Add Comment

Ethereal ELOG support and keepalived

Updated my Firestorm ELOG alert file support patch for Ethereal (0.10.0). Get it here.

I’ve been playing with keepalived over the last couple of weeks. It’s basically an entire Linux HA cluster system. It does the job of heartbeat for failover and incorporates LVS for load balanced services. It looks really great but I’ve managed to upset it a few times by restarting the daemon too much. Also I’ve found using bonded ethernet interfaces with multicast traffic results in multiple copies of the packets coming out of bond0, which really confuses the keepalived anti-replay sequence numbers (Hey, I’ve seen that packet already!). I’ve reported it to the keepalived guys and will do the same for the bonding people. I’m not sure whose problem it is to solve.

9/2/2004 Add Comment

Firestorm ethereal and RedHat Advanced Server

I’ve ported my Ethereal ELOG patch to the latest version (0.9.14) and fixed a bug handling pcap captured alerts. Created Debian debs for powerpc and i386. Matt is working on some RPMS for RedHat 9

RedHat’s latest change of support plans for RedHat Linux seems to be doing what was intended, getting more people to purchase Advanced Server (and the new Enterprise Server and Workstation) rather than leeching off them. Good for RedHat. There have been too many idiots selling RedHat Linux-based solutions expecting the coloured headgear company to do the hard work of beta testing, bug fixing etc.etc. for free.

15/8/2003 Add Comment

Firestorm elog support for Ethereal

I finally got a patch together to all Firestorm NIDS elog support to Ethereal. You can find the Ethereal patch and a screenshot within my downloads directory. I may put a couple of example elog files on there to play with too.

5/3/2003 Add Comment

Liverpool and Firestorm NIDS Ethereal support

I’ve been down near Liverpool for the last few days, but I still found time to work on my latest project, adding support for Firestorm NIDS alert elogs to Ethereal 0.9.8. See a screen shot. Ethereal seems nicely written and I’m not having too many problems adding support for new file formats and protocols.

19/12/2002 Add Comment