Cheatsheet: Difference between revisions
Content added Content deleted
(→ProcFS) |
|||
Line 554:
/proc/cmdline – Kernel command line information.
/proc/console – Information about current consoles including tty.
/proc/devices – Device drivers currently configured for the running kernel.
/proc/dma – Info about current DMA channels.
/proc/fb – Framebuffer devices.
/proc/filesystems – Current filesystems supported by the kernel.
/proc/iomem – Current system memory map for devices.
/proc/ioports – Registered port regions for input output communication with device.
/proc/loadavg – System load average.
/proc/locks – Files currently locked by kernel.
/proc/meminfo – Info about system memory (see above example).
/proc/misc – Miscellaneous drivers registered for miscellaneous major device.
/proc/modules – Currently loaded kernel modules.
/proc/mounts – List of all mounts in use by system.
/proc/partitions – Detailed info about partitions available to the system.
/proc/pci – Information about every PCI device.
/proc/stat – Record or various statistics kept from last reboot.
/proc/swap – Information about swap space.
/proc/uptime – Uptime information (in seconds).
/proc/version – Kernel version, gcc version, and Linux distribution installed.
Usage:
ls -l /proc/$(pgrep -n python)/exe
== Commands ==
|
Revision as of 23:51, 13 September 2019
ARP vs MAC Table
ARP Table | MAC Table (or CAM Table) |
---|---|
Layer3 address to Layer2 address resolution | Layer2 address to Interface binding |
Matches IP addresses to MAC addresses | Maps Ports to MAC addresses |
Needed to forward packets at layer 3 | Used to Switch frames to the right output interface |
Kept by L3 devices | Kept only by L2 devices |
No entry for dest IP address, machine will send ARP request | If no entry, switch will flood the frame |
Default timeout is 4 hours | Default timeout is 5 minutes |
Filled by each ARP reply | Filled by source MAC of each frame passing through switch |
Fragmentation
- Before fragmentation
Sequence | Identifier | Total Length | DF Flag | MF Flag | Fragment offset |
---|---|---|---|---|---|
0 | 345 | 5140 | 0 | 0 | 0 |
- After fragmentation
Sequence | Identifier | Total Length | DF Flag | MF Flag | Fragment offset |
---|---|---|---|---|---|
0-0 | 345 | 1500 | 0 | 1 | 0 |
0-1 | 345 | 1500 | 0 | 1 | 185 |
0-2 | 345 | 1500 | 0 | 1 | 370 |
0-3 | 345 | 700 | 0 | 0 | 555 |
Headers
Version | HLEN | DSCP | ECN | Total Length | |||||||||||||||||||||||||||
Identification | Flags(DF,MF) | Fragment Offset | |||||||||||||||||||||||||||||
Time To Live | Protocol | Header Checksum | |||||||||||||||||||||||||||||
Source IP Address | |||||||||||||||||||||||||||||||
Destination IP Address | |||||||||||||||||||||||||||||||
Options (if HLEN > 5) |
Source port | Destination port | ||||||||||||||||||||||||||||||
Sequence number | |||||||||||||||||||||||||||||||
Acknowledgment number (if ACK set) | |||||||||||||||||||||||||||||||
Data offset | Reserved 0 0 0 |
N S |
C W R |
E C E |
U R G |
A C K |
P S H |
R S T |
S Y N |
F I N |
Window Size | ||||||||||||||||||||
Checksum | Urgent pointer (if URG set) | ||||||||||||||||||||||||||||||
Options (if data offset > 5. Padded at the end with "0" bytes if necessary.) ... |
Source port | Destination port |
Length | Checksum |
- ARP Header
Hardware type Protocol type Hardware address length Protocol address length Operation Source MAC Source IP Dest MAC Dest IP
- ICMP Header
Code Checksum Rest of Header
TCP
- Parameters determined during Handshake:
MSS WSF SACK Permitted
- MTU vs MSS
- Congestion Control
- Slow Start - Exponential Increase
- Sender starts with cwnd = 1 MSS, Size increases 1 MSS each time one Ack arrives, Increases the rate exponentially(1,2,4,8....) until a threshold is reached
- Congestion Avoidance - Additive Increase
- Increases the cwnd Additively, When a “window” is Ack cwnd is increased by 1, Window = No of segments transmitted during RTT - The increase is based on RTT, not on the number of arrived ACKs, Congestion window increases additively until congestion is detected
- Congestion Detection - Multiplicative Decrease
- If congestion occurs, Window size must be decreased, Sender knows about congestion via RTO or 3 Dup Acks received, Size of Threshold is dropped to half
- Tahoe
- If RTO occured, TCP Reacts Strongly - Reduces cwnd back to 1 Segment, starts the slow start phase again
- Reno
- If 3 Duplicate ACKs are received, TCP has a Weaker Reaction - Starts the Congestion Avoidance phase - This is called fast transmission and fast recovery
- Silly Window Syndrome: Sender creates data slowly or Receiver consumes slowly or both.
Syndrome due to Sender:
- Nagle’s Algorithm: Send data initially, accumulate data in output buffer, Wait for Ack or till 1 MSS Data in Buffer
Syndrome due to Receiver:
- Clark’s Solution: Announce window size 0 till 1) enough space for 1 MSS in Buffer or Half Receive buffer is empty - Delayed Acknowledgment: Segment not acknowledged immediately, Sender TCP does not slide its window, reduces traffic, sender may unnecessarily retransmit, Not delay more than 500 ms.
- Fast Retransmission
- If RTO has a larger value - If sender receives four acknowledgments with same value (three duplicates) - Segment expected by all of these Ack is resent immediately
- Persistence Timer
- Issue of Deadlock created by Lost Ack, used to reset Window size 0 advertized earlier, is resolved by this timer - Sending TCP sends a special segment(1 byte of new data) called Probe, causes the receiving TCP to resend Ack - If no reply, another probe is sent and value of persistence timer is doubled and reset - Sender continues sending probes, doubling, resetting value of persistence timer until it reaches a threshold(generally 60s) - After that the sender sends one probe segment every 60s until the window is reopened
VPN Messages
- Phase 1 - Main Mode
Cookie,Proposal List Cookie,Accepted Proposal DH Key,Nonce DH Key,Nonce ID,ID Hash ID,ID Hash
- Phase 1 - Aggressive Mode
ID,Proposal List,DH Key,Nonce ID,Accepted Proposal,DH Key,Nonce,ID Hash ID Hash
- Phase 2 - Quick Mode
Ph1 Hash,Message ID,Proposal List,Nonce, DH Key,Proxy-ID Ph1 Hash,Message ID,Accepted Proposal,Nonce,DH Key,Proxy-ID Ph1 Hash,Message ID,Nonce
HTTP Error Codes
Category | Type | Code |
---|---|---|
1XX | Informational | 100 = Continue |
2XX | Successful | 200 = OK 201 = Created (URL) 202 = Accepted (request accepted but not acted upon immediately) 203 = Non-authoritative Information(info in header is from local or third-party copy, not from original server) 204 = No Content (in body) |
3XX | Re-directional | 301 = Moved Permanently 302 = Found (temporary redirect) 304 = Not Modified 305 = Use Proxy (URL must be accessed through the proxy mentioned in the Location header) 307 = Temporary Redirect (requested page has moved temporarily to a new url) |
4XX | Client Error | 400 = Bad Request 401 = Unauthorized 402 = Payment Required 403 = Forbidden 404 = Not Found 405 = Method Not Allowed |
5XX | Server Error | 500 = Internal Server Error 501 = Not Implememted 502 = Bad Gateway or Proxy 503 = Service Unavailable 504 = Gateway or Proxy Timeout 505 = HTTP Version Not Supported |
HTTP Request Methods
GET: Retrieve Data HEAD: Header only without Response Body POST: Submits Data to DB, web forum, etc PUT: Replaces target resource with the uploaded content DELETE: Removes target resource given by URI CONNECT: Used when the client wants to establish a transparent connection to a remote host, usually to facilitate SSL-encrypted communication (HTTPS) through an HTTP proxy OPTIONS: Returns the HTTP methods that the server supports for the specified URL TRACE: Performs a message loop back test to see what (if any) changes or additions have been made by intermediate servers PATCH:
SSL Handshake
NetScaler
- LB Methods:
Least Connection = Service with fewest active connections Round Robin = Rotates a list of services Least Response time(LRTM) = Fewest active connections & lowest average response time Least Bandwidth = Service serving least amount of traffic measured in mbps Least Packets = Service that received fewest packets Source IP Hash = Destination IP Hash =
- Persistence Methods:
SOURCE IP = COOKIE Insert = Connections having same HTTP Cookie inserted by Set-Cookie directive from server belong to same persistence session. SSL Session = Connections having same SSL session ID RULE = All connection matching a user defined rule URL Passive = requests having same server ID(Hexadecimal of Server IP & Port) of service to which request is to be fwded Dest IP = SRC IP DST IP = CALL ID = Same Caller ID in SIP Header
- What is Stateful & Stateless Persistence? Which one is more scalable/Efficient?
Stateless Session Persistence: Cookie inserted by ADC is more efficient because no need to create a table, NS will insert cookie & forget, with reply, it will read cookie value, decrypt it & fwd request. State-full Session Persistence: Server will insert cookie, NS will hash it & fwd based on Hash value but will need to keep a table in memory with all hashes & IP Addresses. Same is true for Source IP based Persistence, Also inefficient behind NAT Using Set-cookie-header = by Server - insert Name & Value Fields Client sends cookie in Cookie Header Who ever generates cookie, will be able to read it
OSPF
- States
Down Attempt Init 2-Way ExStart Exchange Loading Full
- LSA Type
Type 1 - Router LSAs Type 2 - Network LSAs Type 3 - Network Summary LSA Type 4 - ASBR summary LSA Type 5 - AS external LSA Type 7 - NSSA External LSA
- Packet Types
Type 1 - Hello Type 2 - Database Description (DBD) Type 3 - Link-State request (LSR) Type 4 - LSU Type 5 - LSAck
- Neighbor Requirements
Same area Same authentication config Same subnet Same hello/dead interval Matching stub flags
- OSPF path selection: O > O*IA > O*E1 > O*E2.
- “area range” summarize type 3 LSA’.
- “summary-address” summarize type 5 & 7 LSA’s.
- Auto-cost reference BW (Default = 100mb), formula = 100000000/Int-Bw.
BGP
- Route Selection Criteria
Attribute | Which is better |
---|---|
Next Hop reachable | Route cannot be used if next hop is unreachable |
Weight | Bigger |
Local Preference | Bigger |
Locally Injected | Locally injected is better than iBGP/eBGP learned |
AS Path Length | Smaller |
Origin | Prefer I over E & E over Unknown |
MED | Smaller |
Neighbor Type | Prefer eBGP over iBGP |
IGP Metric to Next Hop | Smaller |
- BGP States
Idle Active Attempting to connect Connect TCP session established OpenSent Open message sent OpenConfirm Response received Established Adjacency established
- BGP Messages
Open Update Keepalive Sent every 60 seconds Notification Always indicate something is wrong
VPN Monitor vs DPD vs IKE Heartbeat
VPN Monitor | DPD | IKE Heartbeat |
---|---|---|
Juniper Proprietary | RFC Standard | Juniper Proprietary |
Work with Non Juniper | Work with Non Juniper | Cannot work with Non Juniper |
Uses ICMP | Uses ICMP(encrypted IKE Phase 1 message(R-U-THERE)) | -- |
Goes inside the Phase 2 Tunnel | Goes through Phase 1 Tunnel | -- |
Implies VPN is UP | Implies peer is up and responding | Enhancement to detect tunnel availability |
Works if supported by one peer only | -- | Both ends must support |
Configured in Phase 2 | Configured in Phase 1 | Configured in Phase 1 |
SRX Architecture
- First Path
Screens Static NAT | Dest NAT Route ==> Forwarding Lookup Zones Policy Reverse Static NAT | Source NAT Service ALG Session
- Fast Path
Screens TCP NAT Service ALG
ScreenOS
- ScreenOS Flow order
Sanity Check Screening Session lookup Route Lookup Policy lookup Session creation ARP lookup
- Route preference order
Policy Based Routing Source Interface Based Routing Source Routing Destination Routing
- NAT Preference order
Mapped IP Virtual IP Policy Based NAT (NAT-Src & NAT-Dst) Interface Based NAT
SYN Flood Protection
Threshold = Proxy connections above this limit If Syn-cookie is enabled, no sessions established between client & firewall or firewall & server directly Alarm Threshold = Alarm/Alert (to log) Queue Size = The number of proxied connections held in queue After this the firewall starts rejecting new connection requests Timeout Value is maximum time before a half-completed connection is dropped from the queue The range is 0–50s; default is 20s
Linux
Linux Booting
- BIOS
- MBR
- GRUB
- Kernel
- Init
0 – halt 1 – Single user mode 2 – Multiuser, without NFS 3 – Full multiuser mode 4 – unused 5 – X11 6 – reboot
- Runlevel programs
Manually Boot using Grub
- Locate where the vmlinuz and initrd.* files are located:
grub> ls (hd0) (hd0,msdos5) (hd1) (hd1,msdos0)
- Boot the system:
grub> linux (hd1,msdos1)/install/vmlinuz root=/dev/sdb1 grub> initrd (hd1,msdos1)/install/initrd.gz grub> boot
File system layout
/ – The Root Directory /bin – Essential command binaries /boot – Boot loader files /dev – Device Files /etc – Configuration Files /home – Home Directory /lib – Essential Libraries /lost+found – Recovering Files /media – Removable Media Devices /mnt – Temporarily mounted filesystems /opt – Optional software packages /proc – Kernel & Process Information /root – Root Home Directory /sbin – System binaries /selinux – Security-Enhanced Linux /srv – Service Data /sys – virtual filesystem /tmp – Temporary files /usr – binaries, documentation, source code, libraries /var – Variable Files
ProcFS
/proc/cmdline – Kernel command line information. /proc/console – Information about current consoles including tty. /proc/devices – Device drivers currently configured for the running kernel. /proc/dma – Info about current DMA channels. /proc/fb – Framebuffer devices. /proc/filesystems – Current filesystems supported by the kernel. /proc/iomem – Current system memory map for devices. /proc/ioports – Registered port regions for input output communication with device. /proc/loadavg – System load average. /proc/locks – Files currently locked by kernel. /proc/meminfo – Info about system memory (see above example). /proc/misc – Miscellaneous drivers registered for miscellaneous major device. /proc/modules – Currently loaded kernel modules. /proc/mounts – List of all mounts in use by system. /proc/partitions – Detailed info about partitions available to the system. /proc/pci – Information about every PCI device. /proc/stat – Record or various statistics kept from last reboot. /proc/swap – Information about swap space. /proc/uptime – Uptime information (in seconds). /proc/version – Kernel version, gcc version, and Linux distribution installed.
Usage:
ls -l /proc/$(pgrep -n python)/exe
Commands
- netstat
netstat -s netstat -anp netstat -ant
- ps
ps -aux ps -ant ps -anp
- top
us - user cpu time (or) % CPU time spent in user space sy - system cpu time (or) % CPU time spent in kernel space ni - user nice cpu time (or) % CPU time spent on low priority processes id - idle cpu time (or) % CPU time spent idle wa - io wait cpu time (or) % CPU time spent in wait (on disk) hi - hardware irq (or) % CPU time spent servicing/handling hardware interrupts si - software irq (or) % CPU time spent servicing/handling software interrupts st - steal time % CPU time in involuntary wait by virtual cpu while hypervisor is servicing another processor (or) % CPU time stolen from a virtual machine
- ls
Append a character to each file name indicating the file type:
ls -F or ls --classify
* Executable files / Directories @ Symbolic links | FIFOs = Sockets > Doors Nothing for Regular Files
List Symoblic Links:
ls -la
lrwxrwxrwx 1 root root 11 Sep 13 14:57 mounts -> self/mounts dr-xr-xr-x 3 root root 0 Sep 13 14:57 mpt -rw-r--r-- 1 root root 0 Sep 13 14:57 mtrr
- free
- du
- df
- curl
- wget
- smem
- nslookup
- dig
- mtr
- Misc
Find Sym Links:
find . -type l -ls ls -la | grep "\->"
CPU Info:
lscpu nproc grep 'model name' /proc/cpuinfo | wc -l
Obtain the PID with a utility:
pgrep -n python pidof chrome - return all PIDs pidof -s chrome - return only 1 PID ps -C chrome -o pid= - C = CMD
Flows
- Complete Flow of PC opening a Website:
- Check NW config
- DHCP if not configured
- Check Domain name in Browser Cache
- Check Domain name in OS Cache
- If not Found in any cache, Prepare to send UDP DNS query to DNS Server
- If DNS Server configured is in same Network Check MAC address in ARP Table
- If not found, send ARP for MAC Address
- Forwards DNS Query to DNS Server and wait for reply containing IP address of Website
- If DNS server configured is not in same subnet, check Gateway config(IP & MAC address)
- If MAC address not found in ARP Table, send ARP request
- After getting reply, fwd the DNS query to gateway
- After getting DNS response, start TCP 3-way handshake S-SA-A.
- Start SSL Handshake if SSL/TLS configured
- Send GET Request
- Client sends ACK & Body containing HTML Data
- If HTTP 1.0, Server sends FIN & CLoses connection
- Client send FIN-ACK
- Server sends Ack
- Complete Flow of DNS Traffic
- Complete Flow of Traffic passing through below scenario:
[PC]-----[Hub]-----[Switch]-----[Router]------[Router]------[Server]