ssh hackers

SSH hacking. Amazed at the amount of ssh hackers. Its common to get people to try to hack you root account. THe internet is an amazing thing allowing us to learn a vast amount of information and content. It also is the biggest distraction ever made with youtube, chat rooms and general blackholes. And the internet allows us to hack the hell out of each other. A internet connected device will constantly get hacked, almost no matter what IP address you have!!

You will constantly see it in the logs. You see ‘Failed password for root from port 40834 ssh2’ entries. This happens on every host. It happens on hosts that have little valuable information. I found this information on a persons cloud host they use to host a personal site. . . nothing worth of value at ALL, yet it gets hacked all the time.

What else?
The hackers use other names that are common in software found on systems, like admin, test, and other common names. And they do this
24 hours a day, every day of the week, never ending. You can block them with ip address blocking, IP geo blocking, or simply don’t let anyone connect except valid users.
How? You can only allow certain IP addresses to connect to your host. Only allow the vendor or your own IP into the server. A great method.
How else? You can limit when people connect and WHO can connect, as well.
Do prevent anyone on the internet to connect, you can limit the time that connections are allowed. This is similiar to a ‘time lock’ on a bank safe.
A time lock prevents anyone from trying to get into the safe, except during business hours.
Same concept as a time-lock, you can restrict when you allow connections to your machine at all.
Use a ‘just in time’ authentication method to only allow your host to be connected to the device, when you need it.
On Microsoft Azure, look up ‘just in time’ authentication for this service.

Here is some data I found in the auth.log file. This file shows valid and invalid connection attempts. I sorted this file using several unix commands. It was found with unix commands looking at auth.log file.  Cmd was as follows:

grep ‘invalid user’ auth.log.1 | awk ‘{print $13}’ | sort -n -r | uniq -c >  out19_cc.txt”

Here is the attack data. In little less than a week (six day), some statistics on this host:

20 seconds. The host was hacked about every 20 seconds.

25,375 connections. A total of 25,375 connection requests in these period.

2023 different and unique ip addresses try to connect

38 tries. Each IP address tried an average of 38 times to connect (usually using different passwords)

5014 different usernames. The system was given 5014 different, invalid usernames.

2663 usernames were used more than once.

738 usernames were used more than ten (10) times. The list of those usernames (not including ROOT) are below that tried to SSH to this machine:

Two columns. First, the number of times using that username. Next column, is the username attempted.

10 zb
10 yw
10 yo
10 wx
10 wc
10 wb
10 vg
10 vf
10 ue
10 ts3server
10 testftp
10 te
10 students
10 storm
10 service
10 sd
10 rw
10 ru
10 ro
10 rl
10 rj
10 qt
10 qr
10 qa
10 ov
10 nginx
10 ng
10 nf
10 nexus
10 na
10 mh
10 lm
10 le
10 kv
10 ku
10 kf
10 kevin
10 kafka
10 jz
10 jt
10 jk
10 jd
10 jboss
10 iq
10 ih
10 hp
10 hl
10 fn
10 ez
10 et
10 ek
10 ei
10 dw
10 da
10 cy
10 cr
10 cl
10 chris
10 cg
10 ce
10 br
10 aw
11 zu
11 zg
11 zc
11 ys
11 ye
11 yc
11 xx
11 xm
11 xi
11 xc
11 wpyan
11 wj
11 vt
11 vk
11 vh
11 tu
11 tc
11 sk
11 sf
11 rt
11 rq
11 qm
11 qi
11 qg
11 qd
11 px
11 pu
11 po
11 pl
11 pe
11 pb
11 ox
11 oq
11 on
11 ob
11 node
11 ly
11 lq
11 ll
11 kt
11 kh
11 jv
11 jg
11 ir
11 ia
11 hk
11 he
11 hd
11 gz
11 gmodserver
11 gk
11 gi
11 gd
11 fu
11 eu
11 er
11 ep
11 dy
11 df
11 deployer
11 cz
11 cx
11 cp
11 confluence
11 cj
11 au
11 asterisk
11 aq
11 ad
12 yy
12 yg
12 xz
12 xp
12 xh
12 xe
12 xbmc
12 xb
12 wv
12 wt
12 wd
12 vyatta
12 vy
12 vv
12 vmail
12 vm
12 vb
12 ut
12 ui
12 tz
12 tx
12 tk
12 td
12 sz
12 st
12 ss
12 sr
12 speech-dispatcher
12 rp
12 robert
12 qw
12 qv
12 qs
12 qo
12 qn
12 py
12 ps
12 ph
12 pf
12 pd
12 oj
12 oi
12 nh
12 nc
12 ls
12 lc
12 kp
12 kl
12 kj
12 ki
12 jo
12 jj
12 is
12 il
12 hv
12 hu
12 hj
12 gx
12 go
12 ey
12 ex
12 eq
12 ec2-user
12 ea
12 dx
12 dh
12 dg
12 ct
12 csgoserver
12 by
12 bn
12 aj
12 ah
12 adm
12 ab
13 zw
13 zr
13 yq
13 ym
13 xy
13 xo
13 xl
13 wr
13 ve
13 vd
13 ux
13 uv
13 tr
13 th
13 temp
13 sx
13 sv
13 sq
13 so
13 rs
13 qu
13 pz
13 pv
13 pt
13 pp
13 oo
13 og
13 oe
13 od
13 ny
13 nb
13 mv
13 mk
13 mb
13 m
13 lw
13 lu
13 kz
13 kr
13 kq
13 jx
13 jh
13 ja
13 im
13 ik
13 ie
13 hh
13 hb
13 fv
13 ft
13 fq
13 fd
13 fb
13 eb
13 dt
13 ds
13 dn
13 dl
13 dk
13 dj
13 de
13 dc
13 cpanelphpmyadmin
13 cc
13 bu
13 bo
13 bl
13 bg
13 al
13 ag
14 zy
14 zs
14 zl
14 zj
14 yh
14 xk
14 xd
14 wi
14 vi
14 uy
14 um
14 uj
14 uc
14 ty
14 tv
14 tt
14 toor
14 tn
14 stackato
14 sinusbot
14 si
14 sconsole
14 sb
14 sansforensics
14 sans
14 samurai
14 rh
14 ra
14 qj
14 qh
14 qe
14 qc
14 pyimagesearch
14 pq
14 pn
14 plexuser
14 pk
14 oy
14 ow
14 osboxes
14 osbash
14 openhabian
14 om
14 nv
14 nq
14 nexthink
14 netscreen
14 NetLinx
14 nao
14 myshake
14 my
14 mt
14 misp
14 maint
14 mailman
14 m202
14 lt
14 localadmin
14 lg
14 ld
14 la
14 kx
14 kw
14 ju
14 js
14 jr
14 if
14 id
14 hz
14 hy
14 hxeadm
14 hq
14 ho
14 hg
14 hduser
14 hacker
14 gu
14 gh
14 fw
14 fl
14 fe
14 daniel
14 cw
14 cu
14 cq
14 cirros
14 bi
14 bb
14 ax
14 as
15 zi
15 yl
15 xv
15 wy
15 wk
15 wf
15 vs
15 vo
15 ts3bot
15 sl
15 se
15 rz
15 redmine
15 ql
15 qk
15 pc
15 ou
15 of
15 oc
15 nt
15 mr
15 michael
15 mg
15 ma
15 lx
15 lb
15 ks
15 kc
15 ka
15 jw
15 iy
15 iw
15 informix
15 info
15 hunter
15 ht
15 hn
15 hf
15 gn
15 ethos
15 eh
15 ed
15 dz
15 dr
15 do
15 device
15 dd
15 david
15 cloudera
15 ch
15 bw
15 bs
15 bj
15 ay
15 ao
15 ac
15 aa
16 zp
16 ze
16 za
16 yt
16 yd
16 xa
16 ww
16 wg
16 vx
16 vq
16 vps
16 vl
16 va
16 uu
16 uploader
16 uk
16 uf
16 tm
16 tg
16 ta
16 sh
16 sg
16 s
16 ry
16 rk
16 rg
16 re
16 q
16 pm
16 or
16 nn
16 nj
16 ms
16 mo
16 mn
16 mm
16 kn
16 k
16 jf
16 hs
16 gm
16 fa
16 ec
16 docker
16 ci
16 bv
16 bf
16 be
16 ba
16 am
16 ai
17 zd
17 yx
17 yv
17 yf
17 xu
17 wl
17 wh
17 vr
17 uz
17 up
17 uh
17 ub
17 tl
17 system
17 sw
17 su
17 steam
17 solr
17 sc
17 rf
17 qx
17 ok
17 oh
17 no
17 nl
17 nk
17 mi
17 me
17 jb
17 j
17 gl
17 gb
17 el
17 ef
17 dp
17 cs
17 cm
17 cd
17 cb
17 ca
17 c
17 bt
17 bm
17 ak
18 zx
18 yj
18 wu
18 we
18 vw
18 vu
18 vc
18 v
18 uw
18 un
18 ti
18 tf
18 telecomadmin
18 rx
18 rv
18 qy
18 qf
18 qb
18 pa
18 oz
18 os
18 nx
18 nw
18 mx
18 mu
18 lo
18 lj
18 ko
18 km
18 ii
18 hr
18 gitlab-runner
18 fy
18 ftp
18 es
18 eo
18 contador
18 bd
19 zk
19 zf
19 yb
19 y
19 xf
19 ws
19 uq
19 to
19 teste
19 redhat
19 r
19 prueba
19 leo
19 jq
19 jm
19 ix
19 iv
19 ic
19 gw
19 fk
19 fh
19 ff
19 ew
20 zv
20 zq
20 xt
20 xg
20 wq
20 wp
20 us
20 ri
20 redis
20 profile1
20 pj
20 p
20 MikroTik
20 jp
20 jn
20 fr
20 fj
20 en
20 em
20 d
20 cisco
20 bx
21 ya
21 x
21 testing
21 qp
21 o
21 n
21 mp
21 minecraft
21 lk
21 li
21 kb
21 f
21 e
21 dq
21 developer
21 bq
21 bp
21 an
21 a
22 yn
22 yi
22 vnc
22 vn
22 vj
22 user3
22 stack
22 rd
22 rb
22 md
22 ip
22 gv
22 g
22 eg
22 bk
22 at
22 alex
23 yp
23 upload
23 ul
23 t
23 sm
23 rm
23 operator
23 oa
23 mw
23 mq
23 ml
23 iz
23 gq
23 gp
23 fc
23 ck
23 centos
23 bh
23 b
24 web1
24 wa
24 w
24 user01
24 tom
24 tech
24 rabbitmq
24 mc
24 h
24 ej
24 cv
24 ar
24 ap
24 admin1
25 z
25 uftp
25 tester
25 pr
25 john
26 user2
26 u
26 apache
27 svn
27 rr
27 public
27 ga
27 du
27 cssserver
28 user0
29 ts
29 teamspeak3
29 l
29 elastic
29 db2inst1
29 Administrator
30 xn
30 ftptest
31 webadmin
31 ftpadmin
31 elasticsearch
33 testuser
34 zabbix
34 vagrant
35 odoo
35 i
35 db
37 webmaster
39 dev
40 spark
41 weblogic
41 jira
44 web
48 tomcat
48 teamspeak
49 student
50 default
52 ts3
52 server
56 www
57 mysql
60 demo
67 jenkins
69 administrator
72 nagios
85 user1
85 support
85 debian
93 ubnt
100 pi
106 hadoop
110 guest
114 deploy
143 test2
144 for
156 usuario
164 git
172 test1
231 ftpuser
424 oracle
700 postgres
725 ubuntu
852 user
938 test
1276 admin

cisco built in RFID

Using a 9300 cisco switch? keep track of them using the built-in RFID tag.

from 9300 manual


The chassis has a built-in,passive RFID tag that uses UHF RFID technology and requires an RFID reader with compatible software. It provides auto-identification capabilities for asset management and tracking. The RFID tags are compatible with the Generation 2 GS1 EPC Global Standard and are ISO 18000-6C compliant. They operate in the 860- to 960-MHz UHF band. For more information, see Radio Frequency Identification (RFID) on Cisco Catalyst 9000 Family

Switches White Paper.

Looked like has pretty good software and readers you could use. Unfortunate that most modern phones don’t have reader capability, even though they have 800 mhz software defined radios. I like this bluetooth reader with optical scanner.

network cable – stretched antenna

A high speed network cable is a antenna. To me, a network cable is in essence a wave-guide, or antenna. The network cable allows a path from the one network card to the other network card. These strands of wire don’t just allow electrical signals, they allow radio waves to transverse, reflect, and be absorbed. Each wire pair needs to be considered as a wave-guide and treated as such. Minor kinks or length changes cause serious issues with signal degradation. These guys at Quabbin have a pretty good explanation. I will try to post some practical examples using damaged wire pairs, and graphs (from analyzers/cable testers.)

interview questions for devops

This is the last day of May 2020, hard to imagine that we are here. For someone my age, its a blessing to have lived this long. I watched Blade Runner the movie as a teen, and the future was 2019, a long way away from 1982. The writer figured in thirty years, we would have floating cars, clones, and common slaves (made from cloned humans). It didn’t all happen in 2019 for sure. To be sure of what the writer imagined, watch the movie! We have amazing technology for sure. So in 2020, you are going to get a new hot job for yourself, and get ready for the interview test. This month a friend needed some help with a interview question.

So my friend, mostly doing networking, gets into a cloud / devops job. Mostly a glorified Sysadmin position with average to below pay, but the benefits lure him in. He is in a panic about the XML interview question. Its a large text file with repeating xml/json like strings, each section for a user/computer pair that is in use by the organization. So the interview question is this:

I have a large JSON file, using any programming tool or language, I want you to change every password string in this file to a random string, instead.

Simple right? Well I do these things on a regular basis, but this one was a bit different. I didn’t give him the entire interview answer, but I gave him some hints. I was going to do the data processing with unix SED/AWK, but changed my mind and used powershell instead.

Here is the json file, what it looked like.

PS C:\Users\superDaveRDeluhery> type json.txt
db password : it43ss3489888~
username : superdave
text comment : a wonderful life
data home path : \data\user\superdave
comment : 10

Here is powershell line with REGEX, looks for semicolon : then two digits (d{2}). And replaces with ‘ken’. Notice the “comment : 10” line is now changed with new value.

PS C:\Users\superDaveRDeluhery> (Get-Content -path json.txt -Raw) -replace “\: \d{2}”, “: ken”
db password : it43ss3489888~
username : superdave
text comment : a wonderful life
data home path : \data\user\superdave
comment : ken

—— here same command, but create a new file called newjson.txt (instead of just writing to the screen)

PS C:\Users\superDaveRDeluhery> (Get-Content -path json.txt -Raw) -replace “\: \d{2}”, “: ken” >> newjson.txt

display the changed file

PS C:\Users\superDaveRDeluhery> type .\newjson.txt
db password : it43ss3489888~
username : superdave
text comment : a wonderful life
data home path : \data\user\superdave
comment : ken
PS C:\Users\superDaveRDeluhery>

Have not found the powershell command to create a random string, assign it to a variable, then use that to replace the text. Appears pretty easy to get random numbers, those might need to be converted to char so that you can get random strings (which the interview might want you to create random strings of letters and numbers, not just numbers).

##———————- another test question

June 22/ update – In life we have tests, you do them your way and go from there. Most of us take the easiest route, the path of least resistance. We all do it. But cut and paste is not really possible when you have 50,000 lines to replace. So here is a another test question. You have a list of objects in a text file, like three hundred objects in a text file. You have a single line, an ACL, and you need to create a new acl so that we replace a token in a line entry, and create three hundred line entries having a different object. Here is the example of the data:

myfile.txt contents:

object extended super_acl_55

object extended super_acl_56

object extended super_acl_533

object extended super_acl_5523

How do you take that data and create a new ACL using that data? My answer is use windows shell, use the “for” command to grab the third token (tokens=3). Each token gets echo into a line. I see how to do this in powershell. . .but have not done it, yet. When I grow up and become awesome at powershell, I will perhaps be too old to type. Haha! Back to the for loop. The for example is below:

C:\Users\users_uhery>for /F “eol=; tokens=3,4* delims=, ” %i in (myfile.txt) do @echo access-list CR.ITS line 50 extended permit tcp object %i object eq ssh

This uses the “for” shell command. The command, the for command, will process each line and will take each lines third token, example “super_acl_533) and put that data into the echo statement. So in the echo you see

echo access-list CR.ITS line 50 extended permit tcp object %i object eq ssh

See the %i, between the object and object? See that? Its the variable that for uses to hold the token. That gets replaced with the “super_acl_533”. So the final output would be

access-list CR.ITS line 50 extended permit tcp object super_acl_55 object eq ssh

access-list CR.ITS line 50 extended permit tcp object super_acl_56 object eq ssh

access-list CR.ITS line 50 extended permit tcp object super_acl_533 object eq ssh

##———————- end of test question

Since this is a cisco blog, a few cisco things. Studying CCIE wireless? Understand SSDP and mDNS, you must. Check out SSDP using UDP and multicast. Seen packets with M-SEARCH? Check out details.

network security – cover your web traffic

worked a bit with the folks at Zscaler today. Good guys, they were helpful. People talk about network security and how to make your network secure. There are thousands of things that can be done, some matter and some don’t. People discuss what should and should not be done. One thing that should be done? Cover your web traffic. Meaning create a cover of where your web traffic is coming from. Have a networks that builds a path so that someone can’t associate your users traffic to where your users data is ! Keep it separate. Create an easy way to find traces of where your datacenters are located, who would do that?

For most medium sized organizations, they have people inside the buildings/factories that browse the web, and that creates information. If you use a zscaler cloud service, the browsing leaves a footprint that simply points back to Zscaler. That is one of the things I like about it. Your organization doesn’t go around the internet leaving footprints that point back to the datacenter(s). Footprints and information that can be useful for people trying to figure out how your network operates.

I was at a common US government installation a month ago, and they have free WIFI. I thought, I wonder if this free wifi is associated with the governments internet link? That might be a bad idea. Well, I couldn’t tell, which is good. I went to a website “”. IPchicken and many others show the source of you web traffic. The government building I was in, they covered their web traffic. Stay safe. Cover your web traffic.

Copyright 2020 Rod Deluhery

network monitor

neat, a network monitor running on a cisco ISR router. this runs on the cisco device.


Cisco ISR 4451-X router with 8 GB RAM, 16GB compact flash memory, and 200 GB hard disk.

here is what Cisco says about running apps in the isr routers:

Use the Cisco 4000 Series Integrated Services Router (ISR) and ASR 1000 Series Aggregation Services Router to host not only Cisco apps, but also third-party and homegrown Linux-based apps. These routers’ Cisco IOS® XE operating system supports the Kernel-based Virtual Machine (KVM), a virtualization infrastructure for the Linux kernel that turns it into a hypervisor.

Both routers use a customized high-performance data plane for forwarding and manipulating packets. The control plane is entirely Linux running on an x86 Intel CPU. We designed the routers with extra CPU capacity for hosting VMs.

You can also turn to the Cisco 4000 Series ISR and ASR 1000 Series to host other network functions that can be deployed as VMs, including:

●     Windows domain controller

●     Print servers

●     Network analytics

●     Network functions such as WAN optimization (Cisco WAAS), intrusion detection and prevention (Snort® IPS), and visibility and security intelligence (Cisco Stealthwatch Learning Network License)

Hosting those VMs directly on your existing physical router makes a whole lot of sense.

wireless lookup fccID

No manual for a Alcatel Lucent 9962 cell? Whatever wireless device, if you have the FCC ID number, you might be able to find a manual. Take the FCC ID, and put it in the page below.

On a related note, if you need to find a wireless license, you use this page:

Once you see the FCC exhibits that have been uploaded, you might find a technical manual for the radio you are working on. For example, I wanted to know more about a Alcatel 9962 device with a FCC ID of P279962MSEC. Once I put that FCC id into the search page, I found many documents, including a detailed technical manual for the device. The manual cover and a random page are shown below.

Copyright 2020 Rod Deluhery

wireless detail in 802.11n

I ran across Praveens blog as was trying to recall the terminology for aggregate frames. I almost have the name and details of each layer, MSDU and MPDU. Praveen has some good details on Fortinet it appears. It has been years since I have looked at a Fortinet product, they are into all sorts of products now. Ahh Fortinet, I never hung out with you much. . . maybe I should now? Years ago they only sold firewalls.

The whole concept of MSDU, a service data unit, is not clear to me. Reading about it, I pulled up the IEEE specification document, IEEE Std 802.11-2016. If you want to understand how these things work, read this document. You have to register with an email address on IEEE site, and then you can download it for free (you could a few months ago). Not all the documents from IEEE are free to download, make note of that. If you can get that document, it’s a great study aid for learning 802.11 wireless. The document covers directional multi-gigabit wireless concepts and terminology. It also is one of the only places that goes into detail on how DL-MU-MIMO) actually works.

Looking up PTK and the details, a few things to note. More new things, that I found. For MESH access points, or other equipment, you may find a thing called and AP PeerKey. It’s a protocol for access points to communicate to each other. From the document: “The AP PeerKey protocol provides session identification and creation of an AP PeerKey association to
provide for security of OBSS management communication between two APs. The result of a successful run of the AP PeerKey protocol is an AP PeerKey association. An AP PeerKey association is composed of a mesh PMKSA and a mesh TKSA.

I am still learning here about wireless frames, a few things I found out. In some of the IEEE docs, they call A-MSDU a “payload protected (PP) aggregate medium access control (MAC) service data unit. Wow, that is alot to remember, I forget the terms A-MSDU. What might help is remembering what they mean.

I do have a few questions. What causes an AP or station to implement aggregate frames? Is it basically a queue, and if the queue begins to fill, and there are no transmit opportunities, then “start” and begin building a MSDU frame? I am unsure.

Question, how does a PPDU relate to a MPDU? And how does that relate to service period (sp)? Answer- I think the PPDU can be anything transmitted, like a beacon, or a packet. In the ieee doc, we see on page 2325, “PPDU is formed during data transmission by appending the PSDU to the Exteneded Rate PHY preamble and header. At the receiver, the PHY preamble and header are processed to aid in the demodulation and delivery of the PSDU.” And the service period? a time you are told to transmit or assume you can transmit. My definition, anyway.

How does a TIM (traffic indication map) differ from a beacon?

What is a TSID?

Things change with MIMO. A few things. “Very high throughput (VHT) multi-user (MU) physical layer (PHY) protocol data unit (PPDU): A
VHT PPDU with a format that is capable of carrying up to four PHY service data units (PSDUs) for up to four users and is transmitted using the downlink multi-user multiple input, multiple output (DL-MU-MIMO) technique.” thats from the document. So in MIMO with multiple users on a access point, it reads to me like the AP may have a PPDU to send that has data for up to four (4) different clients. Might make for an interesting conversation with speed uploads. If you have a busy wireless network, using MIMO, your upload speed maybe slower than download speeds. Rationale? With MIMO, downloads are more efficient to clients, from the access point. More effective use of air-time, and uploads have no such MIMO capabilities in some STA. Its the downlink that is faster (effectively faster, actually bits per second, it is the same speed. . .it is the same bits per second!)

Another question, is an MPDU with many MSDU always a good thing? I like to think most designs have good and bad. So when the concept of packing frames together into longer frames, whats the catch? Yes there is a downside to most designs. For frame aggregation, mostly all good things. But can it cause latency? I would say yes, even if it is a 1 millisecond latency, it still maybe the case. Latency of one millisecond is not a big deal, right? Well it is something to keep in mind. Latency here and there can add up. Your server latency, WAN latency, then wireless latency. . . speed is king. Yes speed is king, but you can be fast AND have latency. They call it a long, fat, network. I can see how this make wireless more effective, in general. But at times, could this cause latency issues? Or does this only happen when the signal level is very good (high speed networking)?? If signal level (RSSI) is poor, speed is low, does protocols still try to pack the data using these process? If so, latency will be impacted.

Did you read the link on wikipedia? if not, click the link, its in the previous paragraph. What did you see? From that link, it says this:
A network with a large bandwidth-delay product is commonly known as a long fat network (shortened to LFN). As defined in RFC 1072, a network is considered an LFN if its bandwidth-delay product is significantly larger than 105 bits (12,500 bytes).

So, say you have 300 mpbs wifi link, that is megabits, and that is fast. . . . . . which is really maybe around 20,000,000 megabytes per second.
What does a 1 millisecond delay cause? In one millisecond, you divide 20,000,000 divide by 1000, as 1000 milliseconds per second,
and you could have transmitted 20,000 bytes! Even though fast, your 300 mbps link is not a true speed demon, its a LFN. So you now have a LFN (long fat network) simply by having a 1 millisecond delay.

Back to PPDU on the airwaves. So within the PPDU, is MSDU, at least one. So the way I understand, these MSDU and MPDU only apply in wireless realm. Both sta have to have the HT (high throuputoptionimplemented) so that each sta knows what to do with the msdu packets. As I understand the packets are similiar to like a multiplex circuit (like LACP). After the data is recieved it is put back on the network in the original state, so the packet size goes back to 1500 or so. So there is no fragmentation.

Also the packets all need the same qos value or they won’t get packaged in a MPDU. So different qos packets should never be in a MPDU. That how I read the 802.11-2016 IEEE specifications.

Lastly, remember that all the MSDU and MPDU need encrypted before transmission. How does that happen? It appears each MSDU should be encrypted separately, then packed together. Really? What I found interesting, there is a timer in each MSDU. The timer is the lifetime of the encryption protocol. . . I believe.
“The expiration of the A-MSDU lifetime timer occurs only when the lifetime timer of all of the constituent
MSDUs of the A-MSDU have expired.” page 1365. This is the PTK lifetime timer i believe (only thing that matches that in the ieee document. So the MSDU, each one maybe encrypted differently with a different timer. . .and the MPDU will transmit MSDU with expired PTK lifetimes. . . potentially sending packets that can not be unencrypted? It seem it maybe the case.

Copyright 2020 Rod Deluhery


Found this, thought I would share. Take your network skills up a notch, if you dare. It is a packet analysis and packet creation tool using Python. It is called Scapy. The documentation is good. . . a bit difficult to find some quick how to demonstrations. Here is what I did, using my computer.

First I read up on it:

Then I used PIP (PIP – package installer for python. ) to make sure my PIP was updated.

C:\Users\rod>python -m pip install -U pip
Collecting pip
Downloading (1.4MB)
100% |################################| 1.4MB 573kB/s
Installing collected packages: pip
Found existing installation: pip 9.0.1
Uninstalling pip-9.0.1:
Successfully uninstalled pip-9.0.1
Successfully installed pip-19.3.1


Then I installed scapy using pip:

C:\Users\rod>pip install –pre scapy[basic]
Collecting scapy[basic]
Downloading (905kB)

After that I was able to run some scapy scripts against network packet captures. Here is one. In this example python/scapy script that reads a file called “capture” and counts packets and outputs to standard output.

*** START of python scapy file *****
from scapy.all import rdpcap

Read capture with Scapy

filename = ‘capture.pcap’
packets = rdpcap(filename)

Create sets to store source and ip addresses

This automatically allows us to count the number of unique addresses!

source_ips = set()
destination_ips = set()
IP = ‘IP’

Loop through all packets in capture

for packet in packets:
# If the packet has IP layer information…
if IP in packet:
source_ip = packet[IP].src
destination_ip = packet[IP].dst


print(‘There are ‘ + str(len(source_ips)) + ‘ unique source IP addresses.’)
print(‘There are ‘ + str(len(destination_ips)) + ‘ unique destination IP addresses.’)

*** END of python scapy file *****

ccie wireless

The CCIE tests are going to ask you many questions about specifics of routers and switches. Even if you take the CCIE wireless, they will ask you switch and router questions, because come on, you are supposed to be an internet expert! So do you really know the basics of switches? How about troubleshooting a connection? Cable test commands? How about “test capwap ap super” commands? You better!

You start a switch based cabled test with this command

“test cable-diagnostics tdr interface gigabitEthernet 1/0/33”

After the test is run, about 45 seconds, type this command:

superswitch1007-RX001#show cable-diagnostics tdr interface gigabitEthernet 1/0/33
TDR test last run on: December 09 10:13:25

Interface Speed Local pair Pair length Remote pair Pair status

Gi1/0/33 1000M Pair A 27 +/- 10 meters Pair A Normal
Pair B 27 +/- 10 meters Pair B Normal
Pair C 27 +/- 10 meters Pair C Normal
Pair D 27 +/- 10 meters Pair D Normal

Interface Speed Local pair Pair length Remote pair Pair status

What about abnormal conditions? Look out the output below. This is a 100megabit only network device, it actually did function at 100mbps with the below two pairs shorted.

Gi1/0/32 100M Pair A 0 +/- 1 meters Pair A Normal
Pair B 0 +/- 1 meters Pair B Normal
Pair C 33 +/- 1 meters N/A Short
Pair D 34 +/- 1 meters N/A Short

Need to do minor capwap WLC or CAPWAP ap testing, from a switch? You might find it useful to know these commands:

superswitch1007-RX001#test capwap ?
ap Cisco AP
cavium-scale Cavium Scalability Test Hack
data CAPWAP data tunnel
ha-ut ha unit test helper
memory Memory allocation and dellocation reference-counter
multicast CAPWAP multicast tunnel

superswitch1007-RX001#test capwap data ?
attrib Modify CAPWAP data tunnel attribute
create Create CAPWAP data tunnel
delete Delete CAPWAP data tunnel

superswitch1007-RX001#test capwap mult
superswitch1007-RX001#test capwap multicast ?
create Create CAPWAP multicast tunnel
delete Delete CAPWAP multicast tunnel

superswitch1007-RX001#test capwap ap ?
name AP Name

superswitch1007-RX001#test capwap ap