Tag Archives: Problem

Analyzing packets with help of tcpdump and ngrep

My recent assignment requires working with PHP script listening for connections from network-enabled devices using proprietary protocol.

When new device came in for testing noone knew why it’s data didn’t arrive into the system even though it used the same protocol as older devices. After confirming some details and checking every possible logs I’ve found I decided I need to go deeper – I’ve resorted to network monitoring.


I knew only few things about the device I needed to debug – the most important was it’s serial number which was hidden in each packet and information about it’s IP address and port (which I found out were changing quite often). My first thought was to dump packets originating from current IP address of the device:

tcpdump -i bond0 -vvv -X -s0 port 1025 and host xx.xx.xx.xx

Selected options stand for:
-i – interface to listen on
-vvv – maximum verbosity mode
-X – ASCII and hex content of a packet
-s0 – make sure to display full packet content (max 65535 bytes)
port 1025 and host xx.xx.xx.xx – filter only packets with specified src / dst addresses

The problem was I did not get any packets to work with – at the time I have set up actual IP address/port it has already changed. I could dump all packets arriving at PHP service port but with such a high rate of new packets I would need to dump hundreds of megabytes of data to get anything useful from it.

But this was about to change.


Ngrep is an interesting tool which you can use almost as easily as grep but in network context. Instead of dumping whole lot of data to a file and then search through it looking for my pattern I was able to do this on the fly.

It was that easy. I could simply grep through all incoming packets to look for the device ID I was looking for. It didn’t matter if the IP address / port has changed, I could just run the tool and few minutes later analyze the results.

ngrep -X '0x00000932' -q -x

Options I have used:
-X – treat the pattern as hex value instead of regular expression
-q – display only packets I’m interested in
-x – display hex data (similarly to standard hex viewers)

After little fiddling I was able to retrieve few packets I could analyze, the results were similar to this packet:

T XX.XX.XX.XX:4186 -> XX.XX.XX.XX:12300 [AP]
 00 00 00 00 00 00 00 3e 08 01 00 00 01 49 51 d2 .......>.....IQ.
 97 5e 00 0d 1f 08 30 1d 9e 8a 20 01 32 00 97 0b .^....0... .2...
 00 0f 00 0a 05 01 01 45 01 f0 01 15 03 c8 00 03 .......E........
 b5 00 0d b6 00 08 42 35 3d 02 c7 00 00 00 09 f1 ......B5=.......
 00 00 65 93 00 01 00 00 e1 a8 ..e.......

Now, using protocol documentation I could go byte by byte and look for anything strange. Aha! There it was – one strange byte value pointing at undocumented feature which caused packet to be treated as invalid. Now I was sure that it wasn’t an issue on the system side (any protocol changes must first be applied on the system side) but on the device firmware side and after passing this information to technicians not so long later I have received updated protocol specification including this new byte value.

WordPress 3.3.1 update.

Yesterday an security update for wordpress has been released. It fixes 15 minor issues and one XSS vulnerability. It is strongly advised to update your wordpress if you have installed your blog using an IP address (http://x.x.x.x/wp-admin/) instead of domain name (http://example.com/wp-admin).
This flaw can render your blog an “infected” nasty place which could serve your users unwanted content.
In my case it was a real issue so this blog is already patched up, I advise you to do the same!


Today I’ve encountered a very strange error which was quite similar to Parse error: syntax error, unexpected T_PAAMAYIM_NEKUDOTAYIM in….
At the first look I thought it’s a joke from the second programmer I’ve been working with but I was wrong.

This error is addressing to Scope Resolution Operator (::).
The problem is that this error can happen in quite unpredictable places – like in my example:

	$mediumlimit = " AND (Media=0 OR Media=2)";
} else {
	$mediumlimit = " AND (Media=0 OR Media=1)";

Line if(defined(IPHONE)){ was throwing an error.
When I’ve added quotes around IPHONE constant name the error was gone!

Sometimes error messages can cause headache when they are weird and completely not related to actual code – god bless google for letting me fix it in no time!

Windows 7 full screen games problem.

If you own a computer with realtek audio chip, probably you experienced an issue with full screen games (like GTA:SA or NFS:MW).

My games, when ran fullscreen were minimizing every few seconds preventing me to play. No solution I found on the internet was working in my case so I decided to try my luck on my own.

After countless restarting / killing processes I could find a process which receives focus each few seconds causing my games minimize to desktop.

Malicious process name is:


You have to kill that process in order to have uninterrupted gameplay, this saved me alot of time and allows me to play again my favourite games!