I'm investigating an issue with a process that performs IPC via a socket. The socket is served on the local machine's NIC's IP, and the connection is made to the local machine's NIC's IP from another process on the local machine.

I expected that this would drop down the Windows networking stack at least far enough that Wireshark could see the packets. However, it appears that this is not the case. Therefore, I can conclude that socket IPC takes place higher in the stack [would be interesting to see if any windows event tracing (ETW) facilities would see the traffic as an IP frame]. This isn't important to this question (since this isn't stackoverflow).

Where does WinPcap/Npcap "live" in the networking stack to listen for and pass packets to wireshark?

I'm focused on modern Windows OS versions (client: 7+, 10+; server: 2008+, 2012+, 2016+). Specifically, this client is Windows 10.

I effectively want to know where in the network stack the decision is made to "loop back" the packets to the host instead of sending them down the stack.

Thanks

I'm trying to re-write the TO: header in sent emails with ssmtp.

I've configured mail sent to root to be sent via ssmtp (by creating a symlink at /etc/sendmail).

It is redirected to the /etc/aliases entry, but the TO: header is always the user itself, in this case, it is "TO: root".

The SMTP server rejects this alias. I'd like to have the TO: field re-written to a configurable email address.

I have configured: /etc/aliases, /etc/ssmtp/revaliases, and /etc/ssmtp/ssmtp.conf as I expect would work.

Is this possible with ssmtp?

[UPDATE]

Setup:

yum -y install ssmtp

service sendmail stop
chkconfig --levels 2345 sendmail off
chkconfig --del sendmail
export tmpsm=$(which sendmail)
mv $tmpsm $(echo $tmpsm.bak)

ln -s $(which ssmtp) $tmpsm

groupadd nogroup
useradd ssmtp -g nogroup -s /sbin/nologin -d /nonexistent -c "sSMTP pseudo-user"
chown ssmtp:wheel /etc/ssmtp/ #http://en.wikipedia.org/wiki/Wheel_(Unix_term)
chmod 4750 /etc/ssmtp/ #https://en.wikipedia.org/wiki/Setuid
chown ssmtp:wheel /etc/ssmtp/ /etc/ssmtp/ssmtp.conf
chmod 640 /etc/ssmtp/ssmtp.conf

chown ssmtp:nogroup $(which ssmtp)
chmod 4555 $(which ssmtp)

sed s/root=postmaster/#root=postmaster/ -i /etc/ssmtp/ssmtp.conf
sed s/mailhub=mail/#mailhub=mail/ -i /etc/ssmtp/ssmtp.conf
echo "[email protected]" >> /etc/ssmtp/ssmtp.conf #will route anything that's sent to any user with a UID under 500 (check /etc/passwd) to [email protected]
echo "mailhub=smtp.stackoverflown.com:587" >> /etc/ssmtp/ssmtp.conf 
echo "[email protected]" >> /etc/ssmtp/ssmtp.conf 
echo "AuthPass=XXXXXXXXX" >> /etc/ssmtp/ssmtp.conf 
echo "[email protected]" >> /etc/ssmtp/ssmtp.conf  #will rewrite the domain when destined for a domain
echo "[email protected]" >> /etc/ssmtp/ssmtp.conf 
echo "FromLineOverride=YES" >> /etc/ssmtp/ssmtp.conf 
echo "UseTLS=YES" >> /etc/ssmtp/ssmtp.conf 
echo "UseSTARTTLS=Yes" >> /etc/ssmtp/ssmtp.conf 


echo "root:[email protected]" >> /etc/ssmtp/revaliases
echo "seccubus:[email protected]" >> /etc/ssmtp/revaliases


#setup send as alias
echo 'root: [email protected]' >> /etc/aliases
echo 'seccubus: [email protected]' >> /etc/aliases
newaliases

Test:

yum -y install mailx

#test baseline:
echo "test" | mail -v -s "$(date)" [email protected]
#test sending to a local user:
echo $(netstat -apn | grep :) | mail -v -s "$(date)" root #<-------------------FAILS to send due to SERVER specific policy!  because "TO: root"

#check logs:
tail -f /var/log/maillog

I have a credential provider that does not act the way I want it to. It provides secondary authentication, but it's scope is for all interactive Windows logins host-wide, not for a specific user.

In addition to the credential provider, a credential provider filter is installed. The credential provider filter restricts the use of credential providers on the login screen to just this credential provider. However, if the credential provider filter is removed (via deletion of the key below HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters), then a user can change the credential provider to any other available credential provider (including our good old friend PasswordProvider).

My intention is to enforce the use of credential provider for certain users. For instance, it's fine if this user attempts to login with another credential provider, but I'd like AD to reject this request... only allowing requests if they are called from the correct credential provider.

Is this possible? I'm hoping there is a way to configure a user object in AD to restrict the acceptable credential providers.

Thanks

We currently use a combination of a regular and an "advanced/fancy" endpoint malware protection, in the advanced malware app, I can feed a SHA256 hash of an executable into the advanced platform and it will block execution of the given executable.

Can I do the same (blacklisting, not whitelisting) with AppLocker?

We utilize HTTPS deep packet inspection in our firewall via a trusted root certificate in the Windows certificate store. Chrome recently pushed forward with a feature to perform additional checks on certificate issuance called Certificate Transparency, where each certificate used (that was issued after a certain date) is checked against a known good list of CAs.

The use of HTTPS deep packet inspection (aka HTTPS proxying/offloading/MiTM) now causes Chrome to error as per this example.

Is it possible to disable the sole feature of audit log checking in Chrome?

Update in response to womble's answer.

This update is wrong. Womble's answer is correct, see below.

This is what I originally thought, but it clearly isn't.

Here are screenshots of overly righteous Chrome:

No MiTM:

MiTM:

It does appear that it is directly related to cert transparency/audit log checking and not the use of SHA-1 and upcoming depreciation in nanny Chrome. Worth noting that our internal CA cert does expire after 2017.

Update 2, womble is right:

Thanks to womble's answer, I re-reviewed the notice from the Chrome team, and noticed any site with a cert with an expiration 2017+ that uses SHA-1 will get the "affirmatively insecure" warning (the crossed out red lock icon).

To prove my MiTM/proxy the culprit, I used a salesforce test site (located via ducking a KB article)

No MiTM:

MiTM:

 *note that even with no MiTM Chrome detects this site as "secure, but with minor errors" (that yellow icon) because the cert expires within the 2016 calendar year, not 2017+.

My proxy/MiTM is downgrading the algo from SHA-256 to SHA-1. Tsk Tsk! Chrome is acting exactly as intended according to the notice, and I do not believe my user's will receive "affirmatively insecure" notifications once I resolve this issue with the MiTM/proxy.

Thanks!

Update 3: Remember to check firmware updates/release notes... SHA-256 now supported. Update slated Friday. Should be a-okay.

We have several ASA 5505 deployed. Currently, we have a setup where the local ASA is answering DHCP queries and is configuring clients with two DNS servers: our DR site DNS server (we use AD) and a public DNS.

We need to give clients access to "the internet" when the VPN tunnel is down (this means not only packet routing but DNS answers), which rules out serving DHCP from our side. The above config allows us to use vpnclient server [Production site VPN target] [DR site VPN target] without issue.

This is a workaround from previous config where we manually failed over tunnels by adjusting the DHCP assigned DNS. Super high touch and slow.

On a Fortigate, there was a load balancing service that would create a VIP and had some checks ot verify connectivity to DNS servers.

Beyond a creative solution like load balancing, how can we configure clients that are assigned DHCP by our field ASAs to send DNS lookups to specific servers?

[side note]

Just thought that we might use load balancers at each site that serve DNS via the same VIP (only accessible by VPN clients). But this is a complex server-side solution for a possible client-side problem.

I'm attempting to configure a DataCollector set of counters, and would like to (and do) select Process\% Processor Time\<All instances>. However, the resultant perfmon data counter collected is _Total. How do I actually record the dynamic counter collection <All instances>?

I have a challenge where I want to use a GPO to set a Power Plan.

Working on constructing a WMI Filter (using WQL), I ran into a problem of determining a set of WQL statements that would always return true for desktops/servers and false for laptops/notebooks.

I began by testing the use of win32_systemenclosure property ChassisTypes, but quickly found that ChassisTypes is an int array, which can not be used in (standard) WQL [although it's available in the SCCM WQL extension set].

Next I found references to use win32_battery and check the Status property for a non-zero value; but I quickly realized that this will return a value on desktops and servers that have a UPS attached via USB.

Since none of the above will always (+/- tolerable N) return true for desktops/servers, and false for laptops/notebooks, I located the win32_portablebattery class.

Excited, I began testing and quickly noticed that win32_portablebattery returns nothing when executed against a desktop or server. By "nothing" I don't mean {empty string}/"", I don't mean NULL, and I don't mean false, I mean literally nothing. I have even attempted to check __CLASS = "" and __CLASS IS NULL and both still return false for desktops and servers.

Does anyone know any further WQL-fu to try to get a true results using win32_portablebattery?

I am interested leveraging the ease of report production provided by Microsoft SQL Report Builder, but I would like WMI as an available datasource. Since SQL Report Builder relies only on SQL, I would like to install the WMI ODBC driver on Windows 7, but the instructions from the MSFT site must cover XP, as the WMI ODBC driver is not apparently available.

How do I install the WMI ODBC driver on Windows 7?

If I attempt a logon with bad credentials to an sshd server, I am greeted with Access denied after about a 2 second pause.

Is there a way to increase the time it takes to return the password entry prompt?

Note that I already have LoginGraceTime set to a value of 20s.

Is it okay for me to check the contents of a file for a given string with grep in an init script?

I am concerned about introducing dependencies and general convention when it comes init scripts, and if running grep or other tools violates some credo.

I have performed some research, and it appears that I can target both XP and 7 clients with group policy preferences to add a shared printer.

This article describes the presence of a Shared Printer item on the New menu in the group policy preferences Control Panel Settings item Printers, but all I have listed are: TCP/IP Printer and Local Printer.

The server which I am using to create the GPO is Windows 2008 R2.

Why doesn't the New Printer option allow me to create a Shared Printer?

Is it viable to use w32tm.exe's option stripchart to judge the time variance of two hosts (within a very small margin of error)? Note that w32tm.exe's stripchart function is separate than the algorithm used by the Windows Time service itself.

If not, what are some alternate methods?

Thanks,

Matt

I'm introducing some PIM routing into my network to make some multicast traffic available across routers.

I have read a bit on PIM, sparse mode versus dense mode. After reading, I am trying to figure out, under what circumstances would I want to use dense mode?

If I have a simple structure:

[multicast subscriber] <-> [DR router] <-> [DR router] <-> [RP router] <-> [multicast sender]

is it true that using sparse mode from this topology would allow me to expand more efficiently?

How is "time to first packet received" affected by sparse versus dense mode, considering a particular large tree of routers? Are RPs always subscribed to receive multicast?

Thanks,

Matt

I am having some trouble configuring snmptt to properly translate snmp traps.

The following is a problem:

/etc/snmp/snmptt.conf reflects:

EVENT fgFmTrapIfChange .1.3.6.1.4.1.12356.101.6.0.1004 "Status Events" Critical
FORMAT $*
EXEC /usr/local/nagios/libexec/eventhandlers/submit_check_result $r "snmp_traps" 2 "$O: $+*" "$*"
SDESC

Trap is sent to the managing FortiManager if an interface IP is changed
Variables:
  1: fnSysSerial
  2: ifName
  3: fgManIfIp
  4: fgManIfMask
EDESC

when a trap is received, /var/log/messages reflects:

Sep  6 12:07:32 SNMPMANAGERHOST snmptrapd[15385]:
2012-09-06 12:07:32 <UNKNOWN>
[UDP:
[192.168.100.2]:162->[192.168.100.31]]:
#012.1.3.6.1.2.1.1.3.0 = Timeticks: (707253943) 81 days, 20:35:39.43
#011.1.3.6.1.6.3.1.1.4.1.0 = OID: .1.3.6.1.4.1.12356.101.6.0.1004
#011.1.3.6.1.4.1.12356.100.1.1.1.0 = STRING: FGTNNNNNNNNN
#011.1.3.6.1.2.1.31.1.1.1.1.10 = STRING: internal4
#011.1.3.6.1.4.1.12356.101.6.2.1.0 = IpAddress: 192.168.65.100
#011.1.3.6.1.4.1.12356.101.6.2.2.0 = IpAddress: 255.255.255.0

Sep  6 12:07:37 SNMPMANAGERHOST icinga:
EXTERNAL COMMAND:
PROCESS_SERVICE_CHECK_RESULT;
192.168.100.2;
snmp_traps;
2;
enterprises.12356.101.6.0.1004: enterprises.12356.100.1.1.1.0:FGTNNNNNNNNN ifName.10:internal4 enterprises.12356.101.6.2.1.0:192.168.65.100 enterprises.12356.101.6.2.2.0:255.255.255.0

Since the icinga entry reflects the EXEC, it's obvious there is no translations occurring by snmptt.

I have verified that translate_log_trap_oid and net_snmp_perl_enable is enabled in snmptt.ini

When using --debug=1 to start snmptt, I see the following in the --debugfile:

********** Net-SNMP version 5.05 Perl module enabled **********

The main NET-SNMP version is reported as NET-SNMP version: 5.5.

What else can be done to verify that snmptt is configured properly to translate traps?

I have run snmptt-net-snmp-test to verify whatever net-snmp-perl version I have installed properly supports translations. The output indicates it does.

/root/snmptt_1.3/snmptt-net-snmp-test --best_guess=2

SNMPTT Net-SNMP Test v1.0
(c) 2003 Alex Burger
http://snmptt.sourceforge.net

MIBS:RFC1213-MIB
best_guess: 2


Testing translateObj
********************

Testing: .1.3.6.1.2.1.1.1, long_names=disabled, include_module=disabled
Test passed.  Result: sysDescr

Testing: .1.3.6.1.2.1.1.1, long_names=disabled, include_module=enabled
Test passed.  Result: RFC1213-MIB::sysDescr

Testing: .1.3.6.1.2.1.1.1, long_names=enabled, include_module=disabled
Test passed.  Result: .iso.org.dod.internet.mgmt.mib-2.system.sysDescr

Testing: .1.3.6.1.2.1.1.1, long_names=enabled, include_module=enabled
Test passed.  Result: RFC1213-MIB::.iso.org.dod.internet.mgmt.mib-2.system.sysDescr

Testing: sysDescr, long_names=disabled, include_module=disabled
Test passed.  Result: .1.3.6.1.2.1.1.1

Testing: RFC1213-MIB::sysDescr, long_names=disabled, include_module=disabled
Test passed.  Result: .1.3.6.1.2.1.1.1

Testing: system.sysDescr, long_names=disabled, include_module=disabled
Test passed.  Result: .1.3.6.1.2.1.1.1

Testing: RFC1213-MIB::system.sysDescr, long_names=disabled, include_module=disabled
Test passed.  Result: .1.3.6.1.2.1.1.1

Testing: .iso.org.dod.internet.mgmt.mib-2.system.sysDescr, long_names=disabled, include_module=disabled
Test passed.  Result: .1.3.6.1.2.1.1.1


Testing getType
***************

Testing: .1.3.6.1.2.1.4.1
Test passed.  Result: INTEGER

Testing: ipForwarding
Test passed.  Result: INTEGER


Testing Description
*******************
Test passed.  Result:
-------------------------------------------------
The indication of whether this entity is acting
as an IP gateway in respect to the forwarding of
datagrams received by, but not addressed to, this
entity.  IP gateways forward datagrams.  IP hosts
do not (except those source-routed via the host).
Note that for some managed nodes, this object may
take on only a subset of the values possible.
Accordingly, it is appropriate for an agent to
return a `badValue' response if a management
station attempts to change this object to an
inappropriate value.
-------------------------------------------------

I have manually gone through the MIB with the definition that's not resolving, and verified that it is properly linking back to the proper resolved definition. It is:

FORTINET-FORTIGATE-MIB.txt contains:

fgFmTrapIfChange NOTIFICATION-TYPE
    OBJECTS     { fnSysSerial, ifName, fgManIfIp, fgManIfMask }
    STATUS      current
    DESCRIPTION
        "Trap is sent to the managing FortiManager if an interface IP is changed"
    ::= { fgFmTrapPrefix 1004 }


fgFmTrapPrefix OBJECT IDENTIFIER
    ::= { fgMgmt 0 }

fgMgmt OBJECT IDENTIFIER
    ::= { fnFortiGateMib 6 }

fnFortiGateMib
    ::= { fortinet 101 }

IMPORTS
    FnBoolState, FnIndex, fnAdminEntry, fnSysSerial, fortinet
        FROM FORTINET-CORE-MIB

fortinet MODULE-IDENTITY
    ::= { enterprises 12356 }

LOOKS GOOD!!!!!
1.3.6.1.4.1.12356.101.6.0.1004

I've exhausted all the documentation and even posted fruitlessly in the snmptt-users mailing list.

I can not prove it is the MIB.

Why would snmptt fail to translate traps?

Simply:

• $O = enterprises.12356.101.6.0.1004
• when $O should = fgFmTrapIfChange

Thanks,

Matt

[UPDATE]

snmptt.ini

snmptrapd.conf:

authCommunity log,execute,net communitystr
traphandle default /usr/bin/snmptthandler

snmptt.conf

MIB where trap that isn't being translated lives (and it's referenced MIB).

Note that linkUp and linkDown are translating properly.

[UPDATE 2]

I have also tested with another MIB that isn't a default MIB contained within the net-snmp package, and this MIB also fails to resolve.

[UPDATE 3]

If I set the following in snmptt.ini:

mode = standalone

And I set the following in snmptrapd.conf:

traphandle default /usr/sbin/snmptt --ini=/etc/snmp/snmptt.ini

I am able to translate traps as expected.

This means that whatever method /usr/sbin/snmptt uses to daemonize may not have access to the MIBs, or may be doing something other than what's described. The documentation included within snmptt.ini likely will contain the answers I seek.

[[ SOLUTION ]]

Set mibs_environment = ALL in snmptt.ini

Description:

# Allows you to set the MIBS environment variable used by SNMPTT
# Leave blank or comment out to have the systems enviroment settings used
# To have all MIBS processed, set to ALL
# See the snmp.conf manual page for more info.

mibs_environment = ALL must be set in snmptt.ini even with snmptrapd starting with -m ALL (where ALL is a wild card statement that includes all MIBs [defined within the files]).

\o.

I recently configured a bridge br0 with members as eth0 (real if) and dummy0 (dummy.ko if).

When I ping this machine, I receive duplicate replies as:

  # ping SERVERA
  PING SERVERA.domain.local (192.168.100.115) 56(84) bytes of data.
  64 bytes from SERVERA.domain.local (192.168.100.115): icmp_seq=1 ttl=62 time=113 ms
  64 bytes from SERVERA.domain.local (192.168.100.115): icmp_seq=1 ttl=62 time=114 ms (DUP!)
  64 bytes from SERVERA.domain.local (192.168.100.115): icmp_seq=2 ttl=62 time=113 ms
  64 bytes from SERVERA.domain.local (192.168.100.115): icmp_seq=2 ttl=62 time=113 ms (DUP!)

Using tcpdump on SERVERA, I was able to see icmp echo replies being sent from eth0 and br0 itself as follows (oddly two echo request packets arrive "from" my Windows box myhost):

  23:19:05.324192 IP myhost.domain.local > SERVERA.domain.local: ICMP echo request, id 512, seq 43781, length 40
  23:19:05.324212 IP SERVERA.domain.local > myhost.domain.local: ICMP echo reply, id 512, seq 43781, length 40
  23:19:05.324217 IP myhost.domain.local > SERVERA.domain.local: ICMP echo request, id 512, seq 43781, length 40
  23:19:05.324221 IP SERVERA.domain.local > myhost.domain.local: ICMP echo reply, id 512, seq 43781, length 40
  23:19:05.324264 IP SERVERA.domain.local > myhost.domain.local: ICMP echo reply, id 512, seq 43781, length 40
  23:19:05.324272 IP SERVERA.domain.local > myhost.domain.local: ICMP echo reply, id 512, seq 43781, length 40

It's worth noting, testing reveals that hosts on the same physical switch do not see DUP icmp echo responses (a host on the same VLAN on another switch does see a dup icmp echo response).

I've read that this could be due to the ARP table of a switch, but I can't find any info directly related to bridges, just bonds. I have a feeling my problem lay in the stack on linux, not the switch, but am opened to any suggestions.

The system is running centos6/el6 kernel 2.6.32-71.29.1.el6.i686.

How do I stop ICMP echo replies from being sent in duplicate when dealing with a bridge interface/bridged interfaces?

Thanks,

Matt

[edit]

Quick note: It was recommended in #linux to:

[08:53] == mbrownnyc [gateway/web/freenode/] has joined ##linux
[08:57] <lkeijser> mbrownnyc: what happens if you set arp_ignore to 1 for the dummy interface?
[08:59] <lkeijser> also set arp_announce to 2 for that interface
[09:24] <mbrownnyc> lkeijser: I set arp_annouce to 2, arp_ignore to 2 in /etc/sysctl.conf and rebooted the machine... verifying that the bits are set after boot... the problem is still present

I did this and came up empty. Same dup problem.

I will be moving away from including the dummy interface in the bridge as:

[09:31] == mbrownnyc [gateway/web/freenode/] has joined #Netfilter
[09:31] <mbrownnyc> Hello all... I'm wondering, is it correct that even with an interface in PROMISC that the kernel will drop /some/ packets before they reach applications?
[09:31] <whaffle> What would you make think so?
[09:32] <mbrownnyc> I ask because I am receiving ICMP echo replies after configuring a bridge with a dummy interface in order for ipt_netflow to see all packets, only as reported in it's documentation: http://ipt-netflow.git.sourceforge.net/git/gitweb.cgi?p=ipt-netflow/ipt-netflow;a=blob;f=README.promisc
[09:32] <mbrownnyc> but I do not know if PROMISC will do the same job
[09:33] <mbrownnyc> I was referred here from #linux.  any assistance is appreciated
[09:33] <whaffle> The following conditions need to be met: PROMISC is enabled (bridges and applications like tcpdump will do this automatically, otherwise they won't function).
[09:34] <whaffle> If an interface is part of a bridge, then all packets that enter the bridge should already be visible in the raw table.
[09:35] <mbrownnyc> thanks whaffle PROMISC must be set manually for ipt_netflow to function, but
[09:36] <whaffle> promisc does not need to be set manually, because the bridge will do it for you.
[09:36] <whaffle> When you do not have a bridge, you can easily create one, thereby rendering any kernel patches moot.
[09:36] <mbrownnyc> whaffle: I speak without the bridge
[09:36] <whaffle> It is perfectly valid to have a "half-bridge" with only a single interface in it.
[09:36] <mbrownnyc> whaffle: I am unfamiliar with the raw table, does this mean that PROMISC allows the raw table to be populated with packets the same as if the interface was part of a bridge?
[09:37] <whaffle> Promisc mode will cause packets with {a dst MAC address that does not equal the interface's MAC address} to be delivered from the NIC into the kernel nevertheless.
[09:37] <mbrownnyc> whaffle: I suppose I mean to clearly ask: what benefit would creating a bridge have over setting an interface PROMISC?
[09:38] <mbrownnyc> whaffle: from your last answer I feel that the answer to my question is "none," is this correct?
[09:39] <whaffle> Furthermore, the linux kernel itself has a check for {packets with a non-local MAC address}, so that packets that will not enter a bridge will be discarded as well, even in the face of PROMISC.
[09:46] <mbrownnyc> whaffle: so, this last bit of information is quite clearly why I would need and want a bridge in my situation
[09:46] <mbrownnyc> okay, the ICMP echo reply duplicate issue is likely out of the realm of this channel, but I sincerely appreciate the info on the kernels inner-workings
[09:52] <whaffle> mbrownnyc: either the kernel patch, or a bridge with an interface. Since the latter is quicker, yes
[09:54] <mbrownnyc> thanks whaffle

[edit2]

After removing the bridge, and removing the dummy kernel module, I only had a single interface chilling out, lonely. I still received duplicate icmp echo replies... in fact I received a random amount: http://pastebin.com/2LNs0GM8

The same thing doesn't happen on a few other hosts on the same switch, so it has to do with the linux box itself. I'll likely end up rebuilding it next week. Then... you know... this same thing will occur again.

[edit3] Guess what? I rebuilt the box, and I'm still receiving duplicate ICMP echo replies. Must be the network infrastructure, although the ARP tables do not contain multiple entries.

[edit4] How ridiculous.

The machine was a network probe, so I was (ingress and egress) mirroring an uplink port to a node that was the NIC. So, the flow (must have) gone like this:

1. ICMP echo request comes in through the mirrored uplink port.
2. (the real) ICMP echo request is received by the NIC
3. (the mirrored) ICMP echo request is received by the NIC
4. ICMP echo reply is sent for both.

I'm ashamed of myself, but now I know. It was suggested on #networking to either isolate the mirrored traffic to an interface that does not have IP enabled. Another solution is to create an administrative VLAN, and remove the mirroring of packets to the administrative VLAN (unfortunately, not an option on my switch).

I am attempting to use ProxyPass and ProxyPassReverse to proxy requests through Apache to another server instance that is bound to the localhost on a different TCP port that the Vhost exists (VHost is bound to :80, when the target is bound to :5000).

However, I am repeatedly receiving HTTP 503 when accessing the Location.

According to the ProxyPass documentation...

<VirtualHost *:80>
    ServerName apacheserver.domain.local
    DocumentRoot /var/www/redmine/public
    ErrorLog logs/redmine_error

    <Directory /var/www/redmine/public>
            Allow from all
            Options -MultiViews
            Order allow,deny
            AllowOverride all
    </Directory>
</VirtualHost>
PassengerTempDir /tmp/passenger

<Location /rhodecode>
  ProxyPass http://127.0.0.1:5000/rhodecode
  ProxyPassReverse http://127.0.0.1:5000/rhodecode
  SetEnvIf X-Url-Scheme https HTTPS=1
</Location>

I have tested binding the alternate server to the interface IP address, and the same issue occurs.

The server servicing request is an instance of python paste:httpserver, and it has been configured to use the /rhodecode suffix (as I saw this to be mentioned in other posts about ProxyPass). The documentation from the project itself, Rhodecode, reports to use the above.

The issue is persistent if I target another server that is serving on a different port.

Does ProxyPass allow proxying to a different TCP port?

[update]

I won't delete this, in case someone comes across the same issue.

I had set an ErrorLog, and in that ErrorLog the following error was reported:

[Wed Nov 09 11:36:35 2011] [error] (13)Permission denied: proxy: HTTP: attempt to connect to 127.0.0.1:5000 (192.168.100.100) failed
[Wed Nov 09 11:36:35 2011] [error] ap_proxy_connect_backend disabling worker for (192.168.100.100)

After some more research, I attempted to set SELinux to permissive (echo 0 >/selinux/enforce), and try again.

It turns out the SELinux boolean httpd_can_network_connect must be set to 1.

For persistence on reboot:

setsebool -P httpd_can_network_connect=1

This is in reference to another question: How do I use robocopy to list all files over a certain size recursively?

I would like to parse output of a command (or cat a log file) and find a string value, convert it to an integer and then see if that integer value is greater than a given integer.

For instance, given the line:

      *EXTRA File          78223    C:\_Google.Enterprise.Contract.2010-06-01.pdf

I'd like to compare '78223' to '10485760'. Is this possible with grep or sed?

Thanks!

I feel quite silly, since robocopy is server administration 101; but I seem to be having a problem listing files.

I desire to list all files over 10MB in size in the directory and subdirectory.

According to docs, this is what should work:

robocopy c:\ /min:10485760 /s /l /fp /tee /log:c:\robocopy.log /njh /njs /ndl

But when I run it, an error is returned "No Destination Directory Specified," which I think isn't needed if you are using the list (/L) option.

Also, if I include the same directory as the destination like so:

robocopy c:\ c:\ /min:10485760 /s /l /fp /tee /log:c:\robocopy.log /njh /njs /ndl

Nothing is returned; but if I drop the no directory list (/ndl), I see a list of all directories.

So my question is: How do I use robocopy to list files over 10MB in a directory tree structure, and just that?

Thanks!

On my hunt to find an answer, I came across an answer to the opposite question, how to find which file occupies a sector (on Windows, use nfi.exe from the Windows 2000 OEM toolkit).

From what I know, finding the sector(s) a file is occupying is quite possible as a program I had used called Ultimate Defrag does this (for fragmented files in it's list).

Does anyone know of a program that will report the sector(s) a file occupies on NTFS?