Filtering with Wireshark and parsing logs with Log Parse Lizard

Recently one of my clients had one of their servers attacked.  The intrusion detection caught it, and I believe a lot of the malicious stuff they were trying were correctly filtered out by as dangerous requests, but in order to understand more about what was/is going on, I worked with 2 tools to help look at the situation a little deeper.

First, I wanted to look at the live requests coming to the server and see the payloads they contained.  To do this, I installed WireShark on the server, and started to capture traffic.

Wireshark as 2 types of filters: capture filters and display filters.  From the capture side of things, you can really cut down on the noise if you filter out the stuff you don’t care about.  So I used a capture filter of tcp port 80 or tcp port 443


Then, while the capture is running you can type in a display filter so that you can tell if you are getting the specific type of request you are interested in during the current trace.  In this case, I was only interested in http POSTs, so I could use this filter http.request.method == “POST”


This way you can let the trace run until you see records start to come through that match both filters.

The other thing I wanted to do was to look at log files to see how the traffic to the site changed over time.  To do this I installed MS Log Parser and the Log Parser Lizard.  With these two tools it allows for a nice UI and SQL queries against the data.  As you can see below, the requests/attacks started at 5:52.



Connecting to FTP behind Windows Firewall and Passive Connections

Even though I opened up the correct port in the Firewall, my Filezilla connection would always fail shortly after connecting.

It would attempt to enter passive mode, and also get a list of the FTP contents, and then the connection would die.

Turns out that by default, the FTP client (filezilla and maybe many others) enter a “Passive” mode when not actively transfering files.  However, to do this the client needs to connect to a random port assigned by the server, which for windows FTP server is between 1024 and 5000.

Now, if you don’t want to open up all those ports in your FW, then you can use the instructions here to change the PassivePortRange in the Metabase.xml file.

Worked prefect for me.

How to setup port forwarding on the CISCO ASDM 5.2

Go to configuration – > security policy

Add Access Rule

Interface: outside

Action: permit

Source: any

Destination: type in the public IP address, aka the outside interface IP address

Service: “tcp/PORT_NUMBER_HERE”

Click OK (maybe 2 times)


Click Apply



Then click on NAT on the left

Click on Add Static Nat rule

Under “Original”

Interface: Inside

Source: Internal ip address that you want traffic routed to

Under Translated

Interface: outside

Click the radio button that says “Use Interface IP Address”

Check the “Enable PAT” check box

TCP and set both ports to be what you want (i.e. 3389 for RDP)

This NAT part always seems backwards to me, but it works.

multiple connections to a server or shared resource

From time to time I get this stupid error when connecting to a machine:

multiple connections to a server or shared resource by the same user are not allowed

I finally found the solution.  Just open up a command prompt and run:

net use * /delete

It will ask you if you want to delete all your open connections, say yes, and then try to reconnect using the credentials you want. 


Computer Browser service starts and then stops

I was having problems locating a machine by name on my local network. 

After some poking around I noticed that the computer browser service on the machine was not running, and when I tried to start it it would immediately stop.  Searching the event log showed that it wasn’t even throwing an error… just stopping.

After a lot of poking around I found that if I enabled File and Print Sharing in my firewall rules that the service would keep running, and now I can look up the machine by name on my local network without problem.

Windows 2008 R2 Upgrade Hanging at 62

I was in server hell this weekend, as I was trying to upgrade a machine from 2008 to 2008 R2.

I had more problems than I could even write on this page, but most were unrelated to the actual upgrade itself.

The one thing I wanted to put here was regarding the fact that the update seemed to hang at 62% in the final step.

At one point I walked away and came back like an hour later to find it still at 62%.  I swore a bunch of times and left the computer running while I went back to my laptop to try researching the issue.

I found that there is a known issue in Windows 7 upgrade that causes it to lockup at 62%.  I figured I had something like that happening to me, but thankfully I didn’t pull the plug too early because sometime during the next 30 min or so, it moved to 63%, and soon it was done.

So, if you are upgrading to R2 and you are stuck at 62%, or 63% (63% took a long time too), don’t pull the plug.  Let it sit for another hour. 

PIX ArrayIndexOutofBoundsException

So today I went to make some firewall updates for a client and the Cisco PDM wouldn’t launch from the browser.

After some troubleshooting, I found that the Java VM was indicating an ArrayIndexOutofBoundsException had occurred.

After some checking around I confirmed my suspicion: Java sucks.  Just kidding, well not really, but what I really confirmed was that the PDM wouldn’t work with any new version of Sun Java.  I guess I’m spoiled with .Net being backward compatible. 

Some suggested installing an old version of Java

But lucky for me I was able to just install Java 6 Update 15 and Java 6 Update 7 from Add/Remove programs and everything started working again.

It’s totally true when people accuse MS of copying Java with the .NET framework, but they sure didn’t make it suck like Java.

UPDATE: The version of Java that is working for me is Java 6 Update 6.  You can download it here:


Earlier this morning my site got hacked by someone who put up a new home page demanding a stop to the war in Israel.


So some quick looking around quickly showed that, by default, my hosting company had enabled WebDAV, a long with a dozen other things.  WTF.

So who is worse, me for not checking this stuff, or my hosting provider for turning this crap on by default.

I think they are worse.  Way worse.

Copy and Paste not working in RDP?

You may notice that your clipboard will sometimes work over RDP(TS) sessions, but sometimes not.

Normally the problem is that the server has clipboard access disabled.

Just follow these instructions to enable it

1. Log into the TS (on an account that has administrator rights)
2. Run the Terminal Services Configuration program
3. Select the Connections folder (under Terminal Services Configuration on the left window pane)
4. Right-click on the RDP-tcp connection (in the right window pane) and select Properties.
5. Click the Client Setting tab
6. Un-tick the Clipboard Mapping option under the Disable the following: heading.


Supporting People with D-Link Routers

D-Link has a nice feature on their website that really helps people like me when I am trying to support a client who users one of these devices.

Normally when I am supporting someone I login remotely so I can view their screen and make the changes for them right there on their computer.  But if their router is down, they usually can’t get internet access to allow for this to happen.

So, it can be pretty difficult to talk to someone on the phone with stuff like “Ok, do you see anywhere on the screen where it talks about setting up PPPoE information?  Maybe something regarding WAN connectivity?” 

But, if you get their D-Link model number, you can go to the device page on DLinks website and launch an emulator of their web interface.

For example:
Click on “Emulator” on the right hand side.

This allows you to see the exact same screen they are looking at.  It also allows you to click around to find the right page w/o asking them to click every link and read you ever bit of info. 

It’s a great tool, and it probably saved me an hour of time with one of my clients today.