Capturing iPhone traffic

This walk through will enable you to capture all traffic that ingresses or egresses the device. It will not differentiate between WLAN or Cellular traffic. If you’re on WiFi, no IP traffic should traverse the Cellular network. If you turn Wifi off, you’ll see your data flow over Cellular.

You’ll need :

  • A Mac with a 30pin/Lightning cable
  • An iPhone

Versions tested :

  • Mac OS X 10.11.6
  • iOS 9.3.3

Procedure:-

Install Xcode on Mac OS X – beware, 4GB download.

Install Wireshark on Mac OS X – no need to beware. Not a 4GB download.

Xcode will make the rvictl tool available to you and despite other tutorials using tcpdump, you can actually capture straight into Wireshark from the remote virtual interface that we’ll create.

Attach an iPhone to the Mac with the cable and allow the Mac to be trusted by the iPhone so it appears in iTunes.

Viewing the iPhone summary page in iTunes, the section which includes the Capacity and Phone Number also has the Serial Number. If you click on the words Serial Number, the display rotates through UDID, ECID and Product Type. We want the UDID

Hold Ctrl and click the UDID string which is a stupid long alphanumeric. Choose copy.

Open a terminal window.

In the terminal window, enter rvictl –s with whitespace after the “-s” and hold Ctrl and click the terminal window to then choose “Paste”

The resulting command should look like:

Macbook$ rvictl –s 23cf3b0ce86e059dd87e53b507858abc99c

When finished with the procedure after using either tcpdump or Wireshark, use the -x form.

rvictl

You can then either use tcpdump if you want to simply save the data to a file for review later, or if you’d like the feeling of ‘watching the traffic’ too, fire up Wireshark and capture from the rvi0 interface. Treat Wireshark like you would in any other packet capture situation.

tcpdump syntax to capture to a file called iphone_capture.pcapng would look like this:

tcpdump -n -i rvi0 -w iphone_capture.pcapng

Use Ctrl+C to stop the capture in tcpdump.

When you’re done, simply stop the remote virtual interface as described earlier and disconnect your phone.

Happy capturing!

 

Cisco WLAN Device Disconnects

Problem statement

The issue I’m facing in an 802.1x Cisco Controller based Wireless Network is that 802.1x Wireless Clients are either A. whilst completely static, and sitting at desks, devices are disconnecting and I’m seeing a connectivity drop with DHCP renewal (according to Cisco AnyConnect supplicants) or B. roaming devices are hanging on to AP’s which are nowhere near the closest AP to the client when moving about the building.

Cisco Wireless LAN Controller

In Cisco WLC Release 8.0, Cisco included Optimized Roaming into their Controller code.

Cisco states the following on Optimized Roaming:-

Information About Optimized Roaming

“Optimized roaming resolves the problem of sticky clients that remain associated to access points that are far away and outbound clients that attempt to connect to a Wi-Fi network without having a stable connection. This feature disassociates clients based on the RSSI of the client data packets and data rate. The client is disassociated if the RSSI alarm condition is met and the current data rate of the client is lower than the optimized roaming data rate threshold. You can disable the data rate option so that only RSSI is used for disassociating clients.

Optimized roaming also prevents client association when the client’s RSSI is low. This feature checks the RSSI of the incoming client against the RSSI threshold. This check prevents the clients from connecting to a Wi-Fi network unless the client has a viable connection. In many scenarios, even though clients can hear beacons and connect to a Wi-Fi network, the signal might not be strong enough to support a stable connection.

You can also configure the client coverage reporting interval for a radio by using optimized roaming. The client coverage statistics include data packet RSSIs, Coverage Hole Detection and Mitigation (CHDM) pre-alarm failures, retransmission requests, and current data rates.”

I’m also very interested in getting log events into my SIEM platform to be able to see when disconnect events are happening. I’m currently trying to get clarity from the advanced logging options in the WLC as I’d like quite just those specific events to come through. I’ll update this section when I’m there.

Now, my final configuration will probably not fit your environment, in that we’re dealing with physics here (radio). My environment has it’s own unique physical characteristics. But I hope to share the journey I took to get to the correct balance for my organisation.

To gain an understanding of my particular environment, here’s some detail.

Building

The building in question is 72m x 29m in size. The build is mostly wood, glass and concrete and 70% open plan with two floors and a large atrium space.
The two floors are not discrete in that there’s clear air in two directions from any upper floor seat to the lower floor and vice versa.

Radios

Within the building, there’s 22 internal 3500 series APs which are the focus of our discussion and 8 external 2600 series APs which contribute to the RF characteristics but aren’t a major player for this discussion.
The radio spectrum in question is a 20Mhz wide 5Ghz WLAN based in the UK using all available indoor UK channels:
36,40,44,48,52,56,60,64,100,104,108,112,116,132,136,140

WiFi Nigel does an exceptional job of explaining the constraints of 5Ghz in the UK, here.

Devices

Day to day, there’s anything up to 400 devices across 5 WLANs within the building. The devices we’re focusing on number up to 270 on a single 5Ghz 802.1x enabled WLAN. They are the managed laptop devices.

The devices in my organisation are loaded with Intel® Centrino® Advanced-N 6235 Wi-Fi adapters which have several options for client side ‘Roaming Aggressiveness’.

centrino

A colleague of mine has already changed a couple devices to ‘5’ for Roaming Aggressiveness with no detrimental feedback, so we assume that is safe – for now – on those devices whilst we pay attention to the WLC.

Taking a note of the configuration of both the Laptops and the WLC configuration, I’m starting with the WLC Optimized Roaming configuration and leaving the Laptops on ‘4’ for Roaming Aggressiveness.

The strategy for the changes pan out as follows:-

  1. Enable Optimized Roaming on the WLC without RSSI – 10 sec interval
  2. Review Optimized Roaming change after 2 weeks and consider interval period.
  3. *Repeats* Add/Increase RSSI thresholds

Cisco states “If you configure a low value for the reporting interval, the network can get overloaded with coverage report messages”. I don’t understand how data, sent every 20secs from 30 APs would overload the network which is Gigabit access ports and 10Gig uplinks to the Core.
My with that long suggested timer interval is that if Optimized Roaming only executed disconnects every 1.5mins, that’s a long time for a device to be hanging around on a sub-optimal AP before it re-connects to something useful.

In the interest of only turning one knob at a time, I’m changing the WLC to enable Optimized Roaming allowing RSSI as it’s only metric and ignoring data rates for the time being.

Step 1. Configuring Optimized Roaming without RSSI from the WLC CLI.

*You will need to disable your radios to complete this work!*

config 802.11a disable network
config 802.11b disable network
config advanced 802.11a optimized-roaming enable
config advanced 802.11b optimized-roaming enable
config advanced 802.11a optimized-roaming interval 20
config advanced 802.11b optimized-roaming interval 20
config advanced 802.11a optimized-roaming datarate 0
config advanced 802.11b optimized-roaming datarate 0

config 802.11a enable network
config 802.11b enable network

show advanced 802.11a optimized-roaming
show advanced 802.11a optimized-roaming stats

Unless there’s any immediate negative consequence from enabling these settings, it’s only fair that the configuration is left alone for a reasonable amount of time before moving on with the RSSI modifications.

Two weeks seems like a good start, it enables you to carefully investigate any issues that aren’t global within the environment and confirm if they were real issues or emotional responses to the change.

Step 2. Configure RSSI as a part of Optimized Roaming

*You will need to disable your radios to complete this work!*

config 802.11a disable network
config 802.11b disable network
config advanced 802.11a optimized-roaming datarate 12
config advanced 802.11b optimized-roaming datarate 12
config 802.11a enable network
config 802.11b enable network
show advanced 802.11a optimized-roaming
show advanced 802.11a optimized-roaming stats
 

Step 3. Increase RSSI thresholds in Optimized Roaming

*You will need to disable your radios to complete this work!*

config 802.11a disable network
config 802.11b disable network
config advanced 802.11a optimized-roaming datarate 24
config advanced 802.11b optimized-roaming datarate 24
config 802.11a enable network
config 802.11b enable network
show advanced 802.11a optimized-roaming
show advanced 802.11a optimized-roaming stats
 

Step 4. Increase RSSI thresholds in Optimized Roaming

*You will need to disable your radios to complete this work!*

config 802.11a disable network
config 802.11b disable network
config advanced 802.11a optimized-roaming datarate 36
config advanced 802.11b optimized-roaming datarate 36
config 802.11a enable network
config 802.11b enable network
show advanced 802.11a optimized-roaming
show advanced 802.11a optimized-roaming stats
 

Step 5. Increase RSSI thresholds in Optimized Roaming

*You will need to disable your radios to complete this work!*

config 802.11a disable network
config 802.11b disable network
config advanced 802.11a optimized-roaming datarate 48
config advanced 802.11b optimized-roaming datarate 48
config 802.11a enable network
config 802.11b enable network
show advanced 802.11a optimized-roaming
show advanced 802.11a optimized-roaming stats
 

Step 6. Increase RSSI thresholds in Optimized Roaming

*You will need to disable your radios to complete this work!*

config 802.11a disable network
config 802.11b disable network
config advanced 802.11a optimized-roaming datarate 54
config advanced 802.11b optimized-roaming datarate 54
config 802.11a enable network
config 802.11b enable network
show advanced 802.11a optimized-roaming
show advanced 802.11a optimized-roaming stats

As of 25/11/15 I’m executing Step 1. on the 27/11/15.
I’ll continue to update this post as the process develops.

 

 

 

Quick note on Iperf usage

Iperf commands used for testing a flow. These are unidirectional, as I would advise against using the Server side return flag i.e. when finished flip the commands around and change the IP address.

TCP test – example at 20m (see –b) and the x.x.x.x address should be the servers address:

Client side = iperf -c x.x.x.x –p10000 -i1 -w512k -l512 -t30 –b20m
Server side = iperf -s –p10000 -i1 -w512k

UDP test – example at 20m (see –b) and the x.x.x.x address should be the servers address:

Client side = iperf -c x.x.x.x -u -p10000 -i1 -w512k -l512 -t30 –b20m
Server side = iperf -s -u -p10000 -i1 -w512k

Flags:
-p = the port used for the flow
-c = Assign as client (servers IP address must follow)
-s = Assign as server
-i1 = Print to screen every second
-w512k = Enlarge window size (proven through multiple tests as the best value)
-t30 = Duration of test in seconds
-b20m = 20Mbits bandwidth – can be m = Megabits or K = Kilobits – value can be changed based upon requirement
-u = UDP Mode (without the flag it defaults to TCP)
-l512 = Set the packet length (example is 512, but default is 1470)

CCIE R&S Written Section 1.20 – Implement VLAN and VTP

VLANs

Standard VLANs from 1 – 999 Extended VLANs from 1000 – 4094
To create VLANs 1000 – 4094 you must be in VTP Transparant mode in you’re running VTP 1 or 2, otherwise you must be using VTP v 3 to create VLANs in this range.

If a client, SW2, sees two VTP Servers SW1 and SW3 which are not themselves directly connected, but are connected through SW2 and SW2 loses connection with SW1, then the client receives an update to add vlan 999 from the SW3, the client will UPDATE the SW1 that’s been offline with that new VLAN information when it comes back on!

SW1, will see that its configuration revision number is lower than SW2, and even though SW2 is a “client” SW1 will use the updated information in the VTP advertisement from SW2 to update to its VLAN database, and get in “sync” with the rest of the VTP domain, including knowing about VLAN 999. So even though Clients cannot modify the VLAN database, they can pass changes to other servers if the configuration revision is higher than the server assuming the security credentials – domain and VTP password are correct.

Default for a new switch is to startup in VTP Server mode with a NULL domain name and no password.
If a switch in this condition is connected using a trunk port with a switch to a VTP domain with no password, that switch will automagically assume a role within that domain and add information from that domain to its VLAN database.

Should a switch with the correct domain name, no password (or the correct current password for the domain) and a higher VTP revision number attach itself to the network – client OR Server remember! – that switch will overwrite the other swtiches VLAN database information with the information that it holds, which could be disastrous!

#show vtp status
#show vtp password
(config)#vtp version 1|2
(config)#vtp domain NAME
(config)#vtp password PASSWORD

These are the main configuration commands for VTP.

VTP pruning

VTP pruning can only be enabled on switches that are VTP 2 capable. They don’t actually have to be running VTP v2, but they must be capable.

Enabling VTP pruning on the VTP Server in a Client/Server topology will enforce pruning throughout the VTP domain.

To enable VTP Pruning, either visit the server or transparant mode VTP switch and enter:-

(config)#vtp pruning

Confirm it’s in effect using simply

#show vtp status

In the output of this command you should expect to see

VTP Pruning Mode                : Enabled

Bulk Protein

I’ve been having a bit of scour, whilst waiting for bits to happen on my servers at work, for some bulk protein suppliers. Firstly I’ve been trying to find a supplier which sells Maximuscle Promax on the cheap, as even though Fitness First stock the products regularly now, they really are charging top dollar for them and I can’t be paying their prices for a new tub every 14 days.
Thing is I kinda trust Maximuscle so I’d like to stay with the brand.
The only solution to this nasty pricing is make sure you team up with a sufficiently loony exercise mad mate and order all your stuff together so you get the buy 4 and get one free deals and stock up for the month. Also subscribing to the MuscleBullitin.com newsletters helps as they knock out good exclusive deals once in a while which helps you get your Maximuscle products cheaper.

Bring on the Beefcake!!

Well travelled or Environmentally Inconsiderate?

So the next time your standing in a bar talking to someone with tales of uncountable foreign lands which they visited in the space of months, marvelling at the iPhone photos of the indigenous folk of some low lying land in the South Pacific and the curious creatures of a tropical outland, are you going to coo and admire said authentic waffle and photographic jamboree or are you going to poise to ask the poignant question of whether they realised that the flights they took to said exotic places are cumulatively destroying those exact paradises by continuing their unsustainable travelling behaviour even in the face of stark and widely available fact??

Just one more wafer thin flight?

When watching The Age of Stupid premiere on Sunday, I found it quite comforting to hear the producer answering a question on the subject of Climate Change with a rhetort that announced the decline in our planets environment as ‘a result of a western lifestyle’ which puts the onus fairly and squarly on our door. You, me, the western inhabitant. It’s not news to the more environmentally aware, I know, but I like to be reminded, life outside the environmentally concerned sphere goes on with too much disregard to this fact and needs to be told again and again and again. Just one flight by one celebrity flying to their premiere would have completely ruined their carbon budget for the film which worked out at 1% of a normal Hollywood production. How are we (the environmentally conscious) going to get people to realize that flying is an incredibly damaging privledge rather than a god given right?

Break a world record and get involved in Earth Hour 2009

Evening folks,

There’s a première this weekend of the new movie – The Age of Stupid. It’s being called the people’s première and among many more esteemed and worthwhile goals would like to set a Guinness World Record for the largest première attendance. Please click through the link and learn more about it. Good luck to the Firefly boys who are providing the solar rig for the show!

Once you’ve seen the movie, please get involved in this years Earth Hour and help make an even bigger impact than in 2008.

Big Love
P

Well I shit the bed!

I couldn’t believe my eyes when I saw 5, yes … 5 British riders on the WSBK SuperPole list from Phillip Island!? Holy Shit!

Superbike – Superpole

1 19 Spies B. (USA) Yamaha YZF R1 1’31.069
2 3 Biaggi M. (ITA) Aprilia RSV4 1’31.402
3 65 Rea J. (GBR) Honda CBR1000RR 1’31.596
4 96 Smrz J. (CZE) Ducati 1098R 1’31.600
5 84 Fabrizio M. (ITA) Ducati 1098R 1’31.837
6 91 Haslam L. (GBR) Honda CBR1000RR 1’32.112
7 7 Checa C. (ESP) Honda CBR1000RR 1’32.537
8 55 Laconi R. (FRA) Ducati 1098 RS 09 1’32.649
9 56 Nakano S. (JPN) Aprilia RSV4 1’31.843
10 9 Kiyonari R. (JPN) Honda CBR1000RR 1’31.860
11 71 Kagayama Y. (JPN) Suzuki GSX-R 1000 K9 1’31.867
12 66 Sykes T. (GBR) Yamaha YZF R1 1’31.881
13 41 Haga N. (JPN) Ducati 1098R 1’31.907
14 76 Neukirchner M. (GER) Suzuki GSX-R 1000 K9 1’31.916
15 67 Byrne S. (GBR) Ducati 1098R 1’32.119
16 23 Parkes B. (AUS) Kawasaki ZX 10R 1’32.719
17 11 Corser T. (AUS) BMW S1000 RR 1’32.873
18 44 Rolfo R. (ITA) Honda CBR1000RR 1’32.997
19 111 Xaus R. (ESP) BMW S1000 RR 1’33.152
20 33 Hill T. (GBR) Honda CBR1000RR 1’33.363
21 24 Roberts B. (AUS) Ducati 1098R 1’33.588
22 100 Tamada M. (JPN) Kawasaki ZX 10R 1’33.709
23 86 Badovini A. (ITA) Kawasaki ZX 10R 1’34.174
24 25 Salom D. (ESP) Kawasaki ZX 10R 1’34.194
25 31 Muggeridge K. (AUS) Suzuki GSX-R 1000 K9 1’34.341
26 99 Scassa L. (ITA) Kawasaki ZX 10R 1’34.390
27 77 Iannuzzo V. (ITA) Honda CBR1000RR 1’35.767
28 15 Baiocco M. (ITA) Kawasaki ZX 10R 1’36.363

I’m dissapointed to see Shakey so far down the list, and Haga too as I think he’s a brilliant rider.

Good luck to Johnny Rea on the front row! Top show dude – tho he’s from Northern Ireland – so I guess I should be rooting for our home grown monobrow talent of Leon Haslam. Bollocks to favouritism I’d love to see the British boys up there on the podium! Wishing them all the best down under!!