Niels Horn's Blog

Wireshark is a very nice network protocol analyzer / sniffer, that is very complete and totally free and open source. It is the standard for examining network packets, used by many professionals and home users. I’ve been using wireshark since the days when it was still called Ethereal, some years ago.

The last few days I was struggling with the following situation:

• I wanted to examine some packets passing through my firewall
• my firewall is a “headless” (this means without a monitor, accessible only via ssh) Slackware server
• it has no X installed (and therefor no window manager etc.) so it won’t run wireshark

Now wireshark can read packets captured by tcpdump and written to a file, so that’s what I did at first:

• capture with tcpdump
• write the packets to a file on a network share
• open the file with wireshark

The problem is that I wanted to examine the packets “on-line”, as they pass through the firewall.
Linux has a solution (inherited from Unix) for this, called “pipes”. These are a special kind of files, where one program writes, while another reads from it, getting the contents in the right order.
In other words: the packet that went into the pipe first, will come out first at the other site of the pipe. Imagine it as a “vitrual tube”.

It was a bit of a struggle to get all the parameters right, but in the end, I got it working like this (note: all commands are entered in a terminal session on the desktop):

1. Create the pipe

niels@desktop:~$ mkfifo /tmp/pipes/cap_fw
“/tmp/pipes/” is where I create my pipes, feel free to use whatever directory you prefer.
“cap_fw” is the name of the pipe I selected.

2. Start tcpdump remotely with ssh from the desktop where you have wireshark installed:

niels@desktop:~$ ssh root@<firewall> "tcpdump -s 0 -U -n -w - -i eth1 not port 22" > /tmp/pipes/cap_fw
Replace <firewall> with the name or ip address of your remote server.

The options I used are:
-s 0 : use the required length to catch whole packets
-U : packet-buffering – write packet to pipe as soon as it is captured (as opposed to waiting for the buffer to fill)
-n : no address-to-name conversion (you can let wireshark do this if you want)
-w - : write output to standard output
-i eth1 : capture from interface eth1 – change to match your setup
not port 22 : leave out any packets from / to port 22. This is needed as we use ssh to connect to out firewall, so that we don’t capture the captured packets again… If you need to examine port 22 on your server, use ssh over an alternative port.
> /tmp/pipes/cap_fw : redirect the output to our pipe.

3. While tcpdump is capturing packets and sending them to the pipe, open another terminal, start wireshark and use the pipe as the input

niels@desktop:~$ wireshark -k -i /tmp/pipes/cap_fw
Here the options mean:
-k : start immediately
-i /tmp/pipes/cap_fw : use our pipe as the “interface”

And you’re up and running!
You can use all the normal functions of wireshark, like filtering, etc., as if you were capturing from a local interface.

By special request from BP{k}, here is a diagram of the setup showing how ssh gets the data from the server, captured by tcpdump and sends it through the pipe to wireshark (with a little help from LeoCAD, l3p and POV-Ray):

(click on the image to enlarge it)

I might write a nice bash script to make things simpler now that I figured it all out.
If it is good enough in the end, I’ll publish it here on my blog.

Some days ago I read some messages on the SlackBuilds mailing list about problems with building FBReader on 64-bits Slackware and the right location of the libraries. At first, I had no clue what FBReader was, I was just interested in the technical problem and how it was solved.

I decided to build the program and found out it was a nice e-book reader, with some extra features that caught my attention. The nicest was that it can automatically search and download books by author from some on-line “libraries”, which makes it quite simple for the non-technical user to get & read some of the classics.

Here are some screenshots of the program, opening the on-line library and getting a famous book by Arthur Conan Doyle:

Since the Slackbuild was unmaintained, I resubmitted it for the newest version, together with the needed liblinebreak library.
Both will be available on SlackBuilds.org soon, but if you can’t wait, you can download packages for Slackware from my site.

One more update before wrapping up: Zabbix released version 1.8.1

As suggested by upstream, I do not offer pre-built packages for the server, so I suggest you all wait for the SlackBuild to get out of the pending queue.

Packages for the new agent can be downloaded from my site already.

If you are upgrading from a previous version of Zabbix (like 1.6.x) do not forget to run the update script that is provided with the sources. Enter all normal mysql parameters (like hostname, user, password, database) after the “upgrade” command like this:

upgrade -h <hostname_of_mysql_server>  -u <zabbix_user>  -p<password_of_zabbix_user> <database_name>

Pay special attention to the fact that there is no space between the -p and your password!

The defaults for the zabbix_user, password_of_zabbix_user and database_name are “zabbix”, but you might have changed that during the original installation.

Another package has been updated, this time for ldglite version 1.2.4

It’s a simple version update that corrects some small bugs.
As always, packages can be downloaded from my site while the SlackBuild is in the pending queue.

The parts library for LeoCAD has been updated and now contains 3.299 pieces.

The updated Slackware package (~ 14MB) can be downloaded from my site.

A new version of HerculesStudio, the Hercules GUI front-end for Linux, has been released. It has some nice new features like editing your devices directly, and several new icons:

The updated SlackBuild is in the pending queue, but for those who cannot wait, pre-built packages for Slackware can be downloaded from my site.

I built a new package with LDraw_data for Slackware, containing the latest (200903) library from ldraw.org. Check my site for the pre-built while the SlackBuild is in pending.

Sometimes you want to share some pictures from an event with your friends, family, etc. With modern cameras the files are simply too big to send them all by e-mail. There are several free sites available, like photobucket, flickr and picasa where I have accounts that I have used in the past.
But all have their drawbacks and did not completely satisfy me.

So I wrote my own software in PHP a while back to publish my pictures on the web, HN-Photo, that runs on my own server. It is quite crude, but does the job. Is has very basic access-control so that I can decide who can see which pictures, etc.

But recently I have been experimenting with Gallery, a free, open source package also written in PHP. It has some very nice features like:

• Tree structure of albums (Like “Work” / “Events” / “2009″ / “Party” – etc.)
• Several “Themes” to choose from, that can afterwards be adapted to your own liking
• Automatic scaling to several sizes – from fast showing 640×480 to the maximum that was uploaded (10Mpixels in my case)
• Several ways to upload pictures, from single pictures to bulk-upload, rsync, etc.
• Functions to move pictures between albums, rename, create tags, etc.
• Impressive permissions structure, with groups and users per album, etc.
• Lots of plugins available, including e-commerce
• Integration with many programs, including WordPress

There are many things I’m still discovering and experimenting with, but it seems I will be migrating my >20GB collection in the near future. I will have to try out that bulk-upload feature…

After some DNS troubles, the new blog is up & running

Something went wrong when I canceled the “CNAME” entry in the DNS server that pointed “blog.nielshorn.net” to the old blogspot site. When I created the new “blog.nielshorn.net” subdomain I couldn’t get it to point at my own server. :-/

But with a little help from my hosting provider everything is OK now.

Feel free to look around and to comment on any errors or broken links!

As you probably noticed, I changed my blog a bit. The biggest change is not in the visible part, but in the software that runs this blog.
After just over a year on Google’s Blogspot, I decided to run my blog on my own site instead of redirecting it. And since I am a strong believer in free, open software, I installed WordPress. This software is extremely flexible, can be adapted completely to my wishes (as it is written in PHP, using MySQL) and still very easy to use.

I imported all posts from the previous blog, but some links might fail. If you find any inconsistencies, please write a comment or send me a mail, so that I can correct it.

The old blog will stay online as long as Google allows it, since there are several sites with deep links to the posts, but it is closed for new posts or comments.