Prevent Bluetooth Power Saving from Disconnecting Peripherals

I was having issues with my Logitech MX Anywhere mouse on a Windows 10 notebook. The mouse would lose connection momentarily and there would be a noticeable lag before the computer and mouse would reconnect, annoying.

I struggled to find the root cause of this issue for some time. But, eventually nailed it to the aggressive power savings of Windows 10. There are options to turn this feature off.

If you have updated drivers, the next step is to check the power settings for the Bluetooth Chipset in your computer, in my case Intel Wireless Bluetooth.

Right-click and select Properties

Machine generated alternative text:
Intel(R) Wireless Bluetooth(R) Properties 
General Advanced Diver Details Events 
Intel(R) Wireless Bluetooth(R) 
Device type 
Manufacturer 
Device status 
Intel Corporation 
Port #0007Hub #0001 
This device is working properly 
Change settings

If you aren’t an admin, click Change settings and enter administrator credentials

Click the Power Management tab

Machine generated alternative text:
Intel(R) Wireless Bluetooth(R) Properties 
General Advanced Diver Details Events 
Intel(R) Wireless Bluetooth(R) 
Power Management 
Allow the computer to tum off this device to save power 
Alo*' this device to wake the computer

Deselect the Allow the computer to turn off this device to save power check box. This feature can be overly aggressive in how Operating System (OS) and the Device Drivers management the power of the device.

Click OK to apply the changes.

Your Bluetooth mouse should not disconnect from the computer due to power aggressive power management any more.

Happy computing.

Mar 31st, 2020 • Filed under Microsoft, Windows

Output pcapng to Different Useful Formats

At times you might be required to use some or all the contents of a PCAP Next Generation Dump File Format (pcapng for short) file in formats that were not for packet data, like JSON and even C arrays.

This can be every easily accomplished with Wireshark application itself. Open the File menu to get started. Click Export Packet Dissections to open the menu.

Click on the item that will save in your desired output or adjust the Save as type selection on the dialog.

Once you have determined the filename and location, packet range, and packet format, click the Save button to save to the file in the format you chose.

Example output of packet in JSON format. Warning this output is verbose.

  {
    "_index": "packets-2004-12-05",
    "_type": "doc",
    "_score": null,
    "_source": {
      "layers": {
        "frame": {
          "frame.interface_id": "0",
          "frame.interface_id_tree": {
            "frame.interface_name": "unknown"
          },
          "frame.encap_type": "1",
          "frame.time": "Dec  5, 2004 15:16:24.317453000 Atlantic Standard Time",
          "frame.offset_shift": "0.000000000",
          "frame.time_epoch": "1102274184.317453000",
          "frame.time_delta": "0.000000000",
          "frame.time_delta_displayed": "0.000000000",
          "frame.time_relative": "0.000000000",
          "frame.number": "1",
          "frame.len": "314",
          "frame.cap_len": "314",
          "frame.marked": "0",
          "frame.ignored": "0",
          "frame.protocols": "eth:ethertype:ip:udp:dhcp",
          "frame.coloring_rule.name": "UDP",
          "frame.coloring_rule.string": "udp"
        },
        "eth": {
          "eth.dst": "ff:ff:ff:ff:ff:ff",
          "eth.dst_tree": {
            "eth.dst_resolved": "Broadcast",
            "eth.dst.oui": "16777215",
            "eth.addr": "ff:ff:ff:ff:ff:ff",
            "eth.addr_resolved": "Broadcast",
            "eth.addr.oui": "16777215",
            "eth.dst.lg": "1",
            "eth.lg": "1",
            "eth.dst.ig": "1",
            "eth.ig": "1"
          },
          "eth.src": "00:0b:82:01:fc:42",
          "eth.src_tree": {
            "eth.src_resolved": "Grandstr_01:fc:42",
            "eth.src.oui": "2946",
            "eth.src.oui_resolved": "Grandstream Networks, Inc.",
            "eth.addr": "00:0b:82:01:fc:42",
            "eth.addr_resolved": "Grandstr_01:fc:42",
            "eth.addr.oui": "2946",
            "eth.addr.oui_resolved": "Grandstream Networks, Inc.",
            "eth.src.lg": "0",
            "eth.lg": "0",
            "eth.src.ig": "0",
            "eth.ig": "0"
          },
          "eth.type": "0x00000800"
        },
        "ip": {
          "ip.version": "4",
          "ip.hdr_len": "20",
          "ip.dsfield": "0x00000000",
          "ip.dsfield_tree": {
            "ip.dsfield.dscp": "0",
            "ip.dsfield.ecn": "0"
          },
          "ip.len": "300",
          "ip.id": "0x0000a836",
          "ip.flags": "0x00000000",
          "ip.flags_tree": {
            "ip.flags.rb": "0",
            "ip.flags.df": "0",
            "ip.flags.mf": "0"
          },
          "ip.frag_offset": "0",
          "ip.ttl": "250",
          "ip.proto": "17",
          "ip.checksum": "0x0000178b",
          "ip.checksum.status": "2",
          "ip.src": "0.0.0.0",
          "ip.addr": "0.0.0.0",
          "ip.src_host": "0.0.0.0",
          "ip.host": "0.0.0.0",
          "ip.dst": "255.255.255.255",
          "ip.addr": "255.255.255.255",
          "ip.dst_host": "255.255.255.255",
          "ip.host": "255.255.255.255"
        },
        "udp": {
          "udp.srcport": "68",
          "udp.dstport": "67",
          "udp.port": "68",
          "udp.port": "67",
          "udp.length": "280",
          "udp.checksum": "0x0000591f",
          "udp.checksum.status": "2",
          "udp.stream": "0",
          "Timestamps": {
            "udp.time_relative": "0.000000000",
            "udp.time_delta": "0.000000000"
          }
        },
        "dhcp": {
          "dhcp.type": "1",
          "dhcp.hw.type": "0x00000001",
          "dhcp.hw.len": "6",
          "dhcp.hops": "0",
          "dhcp.id": "0x00003d1d",
          "dhcp.secs": "0",
          "dhcp.flags": "0x00000000",
          "dhcp.flags_tree": {
            "dhcp.flags.bc": "0",
            "dhcp.flags.reserved": "0x00000000"
          },
          "dhcp.ip.client": "0.0.0.0",
          "dhcp.ip.your": "0.0.0.0",
          "dhcp.ip.server": "0.0.0.0",
          "dhcp.ip.relay": "0.0.0.0",
          "dhcp.hw.mac_addr": "00:0b:82:01:fc:42",
          "dhcp.hw.addr_padding": "00:00:00:00:00:00:00:00:00:00",
          "dhcp.server": "",
          "dhcp.file": "",
          "dhcp.cookie": "99.130.83.99",
          "dhcp.option.type": "53",
          "dhcp.option.type_tree": {
            "dhcp.option.length": "1",
            "dhcp.option.value": "01",
            "dhcp.option.dhcp": "1"
          },
          "dhcp.option.type": "61",
          "dhcp.option.type_tree": {
            "dhcp.option.length": "7",
            "dhcp.option.value": "01:00:0b:82:01:fc:42",
            "dhcp.hw.type": "0x00000001",
            "dhcp.hw.mac_addr": "00:0b:82:01:fc:42"
          },
          "dhcp.option.type": "50",
          "dhcp.option.type_tree": {
            "dhcp.option.length": "4",
            "dhcp.option.value": "00:00:00:00",
            "dhcp.option.requested_ip_address": "0.0.0.0"
          },
          "dhcp.option.type": "55",
          "dhcp.option.type_tree": {
            "dhcp.option.length": "4",
            "dhcp.option.value": "01:03:06:2a",
            "dhcp.option.request_list_item": "1",
            "dhcp.option.request_list_item": "3",
            "dhcp.option.request_list_item": "6",
            "dhcp.option.request_list_item": "42"
          },
          "dhcp.option.type": "0",
          "dhcp.option.type_tree": {
            "dhcp.option.end": "255"
          },
          "dhcp.option.padding": "00:00:00:00:00:00:00"
        }
      }
    }
  }

Enjoy.

Mar 23rd, 2020 • Filed under Networking, Wireshark

Live Capture to Multiple Files Using Wireshark

If you want to live capture a long session, maybe over the course of a couple of hours. You will want to perform this so that you can capture the traffic to multiple files, based on size or duration of time, this makes the results much easier for analysts to work with, transferring, etc.

I like to create a dedicated directory for the capture session. I usually place them in Capture or <ProjectName>Capture. Once the capture session is complete, you can select the interesting PCAP files out of the session and delete or archive the others.

Launch Wireshark application. Open Capture options, select the Output tab.

Select the checkbox Create a new file automatically… to be able to set your preferences for when to create the next file. You have the options of packets, size, duration, and multiple of time. There is also the option to use a ring buffer, which will remove the oldest file after the given number of files has been written.

If you have knowledge of when the session should stop you can also automatically set the capture to stop after packets, files, or specific multiple of time.

Click the Start button to start a capture session, writing the capture to the specified directory as multiple files.

Wait for or repeat the issue and stop the capture. Collect the files from the capture directory you created earlier.

Happy packet capturing!

Feb 18th, 2020 • Filed under Networking, Wireshark

USB Tether to iPhone from Linux

Once you connect your iPhone to the Linux host with a USB cable, you should get the usual Trust dialog, tap Trust, otherwise, the Linux host won’t be able to communicate with the iPhone via the USB cable.

After you trust the iPhone check the dmesg log for evidence of the iPhone being detected by the computer

[ 4670.866484] usb 1-2: new high-speed USB device number 6 using xhci_hcd
[ 4671.009493] usb 1-2: New USB device found, idVendor=05ac, idProduct=12a8, bcdDevice=11.02
[ 4671.009498] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 4671.009502] usb 1-2: Product: iPhone
[ 4671.009505] usb 1-2: Manufacturer: Apple Inc.
[ 4671.009508] usb 1-2: SerialNumber:
[ 4671.039802] audit: type=1130 audit(1574722083.595:53): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=usbmuxd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[ 4671.065013] ipheth 1-2:4.2: Apple iPhone USB Ethernet device attached
[ 4671.065133] usbcore: registered new interface driver ipheth
[ 4671.073395] ipheth 1-2:4.2 enp0s20f0u2c4i2: renamed from eth0
[ 4676.306473] ucsi_acpi USBC000:00: PPM NOT RESPONDING

Umm.. enp0s20f0u2c4i2, okay, eth0 would have been fine, but you know… Or you can run ip link to find it.

$ ip link
...
3: enp0s20f0u2c4i2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000    link/ether 3a:53:9c:09:4f:de brd ff:ff:ff:ff:ff:ff

Now that the iPhone is linked with the computer, time to grab an IP address.

$ sudo dhclient enp0s20f0u2c4i2

No errors from dhclient let’s check if we got our IP address.

$ ip addr
...
5: enp0s20f0u2c4i2:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
     link/ether 3a:53:9c:09:4f:de brd ff:ff:ff:ff:ff:ff
     inet 172.20.10.2/28 brd 172.20.10.15 scope global dynamic noprefixroute enp0s20f0u2c4i2
        valid_lft 84663sec preferred_lft 84663sec
     inet6 fe80::ac11:fcb6:de39:d9b5/64 scope link noprefixroute 
        valid_lft forever preferred_lft forever

Looks good. Let’s test connectivity with a simple ICMP Echo Request.

$ ping cormier.co
PING cormier.co (104.27.175.48) 56(84) bytes of data.
64 bytes from 104.27.175.48: icmp_seq=1 ttl=59 time=21.8 ms
64 bytes from 104.27.175.48: icmp_seq=2 ttl=59 time=27.6 ms  
64 bytes from 104.27.175.48: icmp_seq=3 ttl=59 time=28.5 ms  
64 bytes from 104.27.175.48: icmp_seq=4 ttl=59 time=22.4 ms^C
--- cormier.co ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms  
rtt min/avg/max/mdev = 21.831/25.060/28.464/2.973 ms

Dec 3rd, 2019 • Filed under Linux, Networking

Benefits of Your Own Domain

If you have ever changed email providers, you know the pain of updating your email address with all the service providers to the new address, a number that is only increasing by every passing day, rinse and repeat if you want to change again. This gets old quickly.

To avoid this change of address any time you want to change providers, you can purchase a domain and get full control. Making things like moving to a new email provider a few record changes and no email change, all references will continue working, just now handled by the new provider.

Having your own domain allows you the flexibility to…

  • Use domain-level services. Test them without destroying content, rules, or mailboxes as it all takes place outside the email solution
  • Move email providers without a change of email address
  • Easily add additional aliases or mailboxes, if your email provider account allows for this.
  • Use domain-level email security, like DKIM or DMARC. More on this later in the article.

Acquiring Domain

You can purchase (register) domains all most anywhere these days and host them even more places, like Cloudflare and other providers. Depending on the provider host with, you will have to learn how they manage the zone for your domain. Some have more complex interfaces than others, I prefer consoles with less, but use what you are comfortable with.

Hosting the domain at another provider usually requires domain verification through a DNS TXT record and an update to the SOA record to point to new provider DNS servers. Your DNS registrar should have instructions on how to host your domain with a third party.

I purchase my domain from Hover and host them with Cloudflare. Whom you purchase and host domains with is completely up to you, there are hundreds of companies to choose from.

Email Routing

Routing email with your domain will require a specific type of DNS record(s), Mail Exchange (MX). These records route inbound email for the domain.

At one time you could use custom domains for free at a lot of email providers, but now it’s usually a premium feature.

Once you add your domain to your email provider, usually through DNS or file verification. File verification would require you having set an A record for the base domain, and set it to a location you control, so you can upload a file with specific content, an S3 bucket for example.

My MX records for Proton Mail are:

cormier.co    mail exchanger = 10 mail.protonmail.ch

Email Security

Properly setting up Sender Policy Framework, Domain Keys, and Domain-based Message Authentication will mitigate email spoofing attacks involving your domain.

Sender Policy Framework (SPF)

Sender Policy Framework is a technology that specifies which IP addresses can send for a given domain. At times you might want a service to send emails for your domain, Mail Chimp or email security solutions like Proofpoint.

v=spf1 include:_spf.protonmail.ch mx ~all

DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail is used to sign outgoing email, it does this by affixing a digital signature, linked to your domain, to each outgoing email message. The recipient can verify this by looking up the public key through DNS.

v=DKIM1; k=rsa; p=MIGfMA0GCSqGS...

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

Further extends on DKIM and SPF with policies, what to do if SPF and/or DKIM fails and the third check of alignment, DMARC checks the domain in the From field for aligning with other authenticated domains.

Like SPF and DKIM, DMARC uses the concept of a domain owner, the entity or entities that are authorized to make changes to a given domain.

SPF checks that the IP address of the sending server is authorized by the owner of the domain that appears in the SMTP MAIL FROM command. In addition to requiring that the SPF check pass, DMARC additionally checks that the envelope MAIL FROM (“5321.MailFrom”) aligns with From (“5322.From”) header field.

v=DMARC1; p=quarantine; rua=mailto:[email protected]

Verify

MXTools has all the necessary tools to verify if email security has been set up correctly and aid with troubleshooting.

Check SPF
Check DKIM
Check DMARC

Web Content (Optional)

It’s nice to have some type of web content at the root of your domain. For example, cormier.co, the A record points to a WordPress instance. So if someone pastes my domain into a browser, they end up at this blog.

This blog is hosted on a Linux instance, running WordPress, blah, blah, blah. Root DNS A record for my domain is a Cloudflare endpoint that proxies to my Linux instance.

 > cormier.co
   Server:        10.0.70.2
   Address:       10.0.70.2#53 
 Non-authoritative answer:
 Name:    cormier.co
 Address: 104.27.175.48
 >

You can point it anywhere, a public Amazon S3 bucket would work just as well as a WordPress instance.

Namespaces

If you use the same usernames across the different services your domain can be set up to use, you can unify the namespace, so [email protected] is your SSH username as well as your email address. This might not be a requirement for your situation, but it’s something I like to do to avoid multiple namespaces.

Happy computing!

Nov 17th, 2019 • Filed under Best Practices, DNS, S3