Manny Pimentel recently wrote a blog post describing his ‘Nurse to CCNA’ journey. It was a great post and very cool to see the man behind the man who is the president of short IT Twitter. This got me reflecting a bit on my own journey. I’m not up for telling the whole story of how I came to 40 years of age, so I’ll stick to just one…

Somewhere between 2006-2008 I found myself drawn to the Bat Cave, 909 Marion St in downtown Seattle. I just got my Associates degree from South Seattle Community college and I was working at a place not far from the Bat Cave, a corporate lunch spot called Mel’s Market tossing salads. As luck would have it, I spotted an ad on craigslist while looking for some sort of bike messenger position, a pedicab driver. I contacted the ad and let them know of my interest.

My First Business

I felt a bit of apprehension as the guy ‘interviewed’ me and let me drive him around the block as he explained to me what it was about to do this sort of work. He let me do a few days, expecting me to fail or realize this work wasn’t for me, but, as it turns out, this work was just my cup of tea, in my own way.

To be a pedicab driver I would have to obtain a business license and then I’d rent the pedicab from this man. I completed the paperwork, I think at this time you could obtain a business license for about $80. Then I’d show up for work at the Bat Cave where all the pedicabs were stored…

Pedicab rental rates varied depending on what was going on that day. I don’t recall exact rates but the were something like:

• Mariners Games $35
• Football Games $60
• Any old day $15 – $25

So I’d show up, do a quick check on my bike and head out, I’d have to payout the rental fee once I was done for the night. That was it, keep anything I made past my rental, all cash.

We had about the same group of riders while I was there. It consisted of about 2-3 old timers and 6-8 young new comers.

A Typical Shift

A Mariners game is a good example of a typical shift. I’d arrive to the Bat Cave at around 2:30 – 3 pm for a typical 5ish first pitch. Back in these days there was usually between 3 – 6 pedicab drivers in total, on any given night. We’d lineup like taxis before the games start at the ferry dock, waiting for would be baseball fans to get off and take them to the gates at Safeco Field.

The price of this service would fluctuate a bit, most of the time I’d quote $12 or $17. I was taught to always use an odd number so that you can expect at least $15 or $20 by the end of the ride. Even so, I’d very rarely have the change needed at this point, especially early in this shift. On a good day, I’d hopefully get 3-4 trips from the ferry to the baseball game. So I’d already be well into making money time having already covered my rental fee.

Once the game starts till it ends is more of an adventure. You can choose to wait at any of the exit gates, the easiest rides being the one closest to the ferry. People tend to trickle out of the game after the 5th or 6th inning with a big rush at the end of the game. After the game people ask to go to all sorts of places, from a pub, a strip club or the Siren tavern. Even a couple hours after the game it’s not hard to pick up a ride in Pioneer Square to make some extra cash. Also, the later it gets the more people are willing to pay. Not sure if this has anything to do with alcohol consumption but could be an indicative variable.

Two rides I remember more than any other. One such ride was giving two girls a ride to a Tavern and they were groping and kissing my back the way whole way there. I did not enter into that tavern nor ever speak to them again, still a story (for another day or another platform??!)…The other was a single rider whom I’d taken from the stadium area all the way to a place in Belltown. This one stands out because it was the longest one way trip I’d ever done on a pedicab. I told her that and also the chance I’d be getting more rides was slim and she paid me more in one trip than I usually made in most nights. Great conversationist that one as well.

And I digress…

At the end of the night, usually around 11 pm I’d venture, we’d all end up back in the Bat Cave counting our money. Back in those days I wore some pretty form fitting pants and I’d just have bills stuffed in my sweaty pockets. I wasn’t even to dare trying to do too much with those bills in my pockets out in public, so I’d get back and begin separating bills and see what I ended up with.

A good shift to me was anytime I had over $100 profit. These were easy to do for Mariners and Seahawks games and took some REAL work when you’re just going up and down the waterfront or through Pioneer Square.

The People

With any job I always think whether you had fun or enjoyed what you were doing depends on who you are working with and who you are serving. This job was no exception. There were some awesome people pedicabing and some cool stories from customers I’ll take with me for the rest of my life. People like talking and there is no better place to let someone talk as you are trying to catch your breath peddling them up a small incline…

The night usually ended eating some bbq duck and/or drinking a cloudy beer. To end the night I’d bike the 6-8 miles back to my place of residence back then. Good shape I was in (compared to today me).

Unfortunately, a new pedicab driver had a tragic accident and at least one life was lost. This brought up city politics and the person who’d I’d been renting from moved on after this tragedy. This is about the time I also moved on from pedicabbing as well but always hold this time in my life in high regard even though at the time I was too immature to truly appreciate it. I often wonder what would have been of me had I stuck this out or ventured into buying my own cab had things been different?

How Did this Shape Me

I suppose it shaped me in a lot of ways, but sticking strictly to my career it helped me get out of my shell. The reason the guy, at the interview I initially had was so skeptical of me being a pedicab driver was because I was a shy soft-spoken kid. In this line of work you have to put yourself out there, literally. After pedicabbing I went to barista work and a bit of food service on the side. I don’t think I wouldn’t picked these jobs up as fast or been as successful had it not of been for this experience.

Above all, I got to learn about Seattle. I got to meet all of its citizens. From the out-of-towners that came to the games, to the houseless people eating a Food Not Bombs lunch on a Sunday, to the hot dog vendor cart owners outside of the stadiums. I got to meet and hear so many people’s story in a short amount of time.

So in the end the Bat Cave will always hold a prestigious grip on my heart. We are but the experiences that brought us to where we are.

I’ve written maybe 20 posts or so on this here website. Almost all of them have been explainers or reviews. The following will be something different, something personal. It will probably be a bit short, but I’ll work on that, a journal entry so to speak. Incoming.

The timeline has been a bit cluttered with people giving advise, based on their experience, on what they would focus on if they were starting over in tech. For example, one of my favorite follows on twitter John Breth weighs in:

This got me thinking a bit about my own journey and what it means to ‘start over’ in tech.

The Beginning

I’ve started over, money/job/career wise about 5 ‘major’ times since I turned 18; 40 today. I ‘started over’ in tech in July of 2018, enlisting full-time in the Washington State Air National Guard. The first year and change, when you first dive into the job and associated study, it’s easy. Not necessarily the content/job. What I’m talking about is the motivation.

Everything is seemly made for you. The new person in tech. The books, seminars, lectures, YouTube, study groups are 90% for those who are in the beginning stages of their careers. Or, at least that is what it seems to me. Especially after consuming tons of this content over the last 4 years and change.

The rush of taking your first few certs is pretty bad ass. It rivals that of finals week at the collegiate level in my opinion. Sharing your news with those that helped you along the way and those who you’ve studied with is equally as fun. I’m pretty close online with the connections I’ve made at or around this time. It’s a very special time.

But I don’t really want to talk about the beginning. What comes after that first little rush. When you’re just getting your feet wet but think you’ve come to some standard of knowing something. Right before you realize you barely know anything.

The Hard Part

I’ve been in this hard part for the latter part of the last 3 – 3.5 years. Trying to climb your way out of being a novice and getting to something deeper, unsure of what you can call yourself. To motivate myself I spend a lot of time online. Most of the people I look up to online are some sort of engineer, gave talks at conferences, been doing the thing for at least 15 years or some 18 year old CCIE candidate. There are so many freaking awesome people out there to be inspired by.

All that inspiration you get when you are first starting out, when inevitably comparing yourself to those you are inspired by, begins to weigh on you when you are reaching year 3 and into year 4 and you are diving into yet another new technology and having to learn the fundamentals of something new.

I can tell I’ve made progress when I’m talking to those I work with, or someone who themselves are just starting to learn a certain aspect in tech I’ve spent some time on. I surprise myself by how articulate I can explain something. After the conversation I’ll marvel at how much I actually do know.

But then I’ll do something like go to my first tech conference and meet a bunch of super amazing people again. An inner dialogue begins. Am I good enough? Is this the right career? Do i ‘love’ this? What am I doing with this?

How do I relate what I do to my kids? This question right here weirds me out, as the answer is something close to: I respond to emails, solve puzzles and google stuff for people that are too lazy to read. How is this a rewarding life? I’ve always had trouble selling stuff, myself included. I don’t see it as a bad thing but rather see it as me having a true heart and an understanding of what’s actually important (I have trouble lying…).

The Next Thing

This is what I’ve come to accept as what whatever this tech thing is. It’s continually learning. It’s not knowing (but finding out). It’s not something to master, it’s something to be in awe of, to be curious about.

How do you know tech is right for you? If you see something, tech related, and wonder how that works. How can you make it do something else. How can I get it to do what your friend did. I think this attitude, if you are nodding your head north and south, means you are in the right spot.

I doubt 10 years from now will look a lot like today. So that means nothing but learning ahead. Even though I’ll never be Ivan Pepelnjak, the hope is that I’m able to draw on my experience to pick up things faster. Notice that this new thing is actually this old thing bolted on to this other old thing. Speaking of finding little nuggets. When thinking about ‘if I could start over in tech’ I’m reminded of a cool RFC I was linked to a book I was reading. I find it fun to follow a lot of the links when reading 🙂

1. Introduction

   This Request for Comments (RFC) provides information about the fundamental truths underlying all networking. These truths apply to networking in general, and are not limited to TCP/IP, the Internet, or any other subset of the networking community.

2. The Fundamental Truths

   (1)  It Has To Work.

   (2)  No matter how hard you push and no matter what the priority, you can’t increase the speed of light.

(2a) (corollary). No matter how hard you try, you can’t make a baby in much less than 9 months. Trying to speed this up *might* make it slower, but it won’t make it happen any quicker.

(3)  With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead.

(4)  Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network.

(5)  It is always possible to aglutenate multiple separate problems into a single complex interdependent solution. In most cases this is a bad idea.

(6)  It is easier to move a problem around (for example, by moving the problem to a different part of the overall network architecture) than it is to solve it.

     (6a) (corollary). It is always possible to add another level of indirection.

(7)  It is always something
     (7a) (corollary). Good, Fast, Cheap: Pick any two (you can’t have all three).

(8)  It is more complicated than you think.

(9)  For all resources, whatever it is, you need more.

    (9a) (corollary) Every networking problem always takes longer to solve than it seems like it should.

(10) One size never fits all.

(11) Every old idea will be proposed again with a different name and a different presentation, regardless of whether it works.

     (11a) (corollary). See rule 6a.

(12) In protocol design, perfection has been reached not when there is nothing left to add, but when there is nothing left to take away.

Request for Comments: 1925 [1 April 1996]

So if I could do it all over I’m not sure I have any better advice to give. Do what you like to do. I’ve heard John Capobianco on more than one occasion ask people what they are interested in, whether it be Pokémon or baseball, and tie those interests or hobbies into a tech project. I think this is great advice, and I’ve tried to share it with others. There are so many ways to tie something tech related to things out there in the world. If you can combine the two you can learn more about both at the same time.

Like I alluded to above, sometimes I don’t feel all that into everything all the time. Sometimes I use this hobby/job/phase of my life to distract myself from other aspects of my life. We all have our lows. I’ve been there. I doubt myself. I wonder what I’m doing.

In the end I’m just a curious dude. I studied philosophy and my favorite word when I was a seven year-old was why. Every profession I’ve taken up I’ve looked into the science, tried to hone my craft with a bit of flare. Perhaps I’m just in this particular game because I enjoy puzzles. This is just another phase in my life. Another chapter. Will the next chapter be tech. Maybe, but I’ll be equally immersed in whatever I’m doing because as I’ve come to find out that’s just the kind of guy I am.

All Good Things Must Come to an End

Like this blog post.

If you feel something in your heart is pulling you, I’d say follow it, and give it your entire heart. This might not be it for you or maybe it isn’t for you ‘right now.’ I’m not super into long term goals. For me, I focus on daily routines. What do I like to do? Spend time with my family? Yes, put it in the routine. Read? Yes, put it in the routine. Run? Yes, put it in the routine. I control each day, as much as one can, and put my effort in things I enjoy. Where will this get me in 10-20 years? I don’t know career wise, but I know I will have been an active parent who attempted to do his best on any given day.

As with journeys, i’ll see you around the bend, until next time. If you see me, say hi.

***This article was written by Patrick Kinane. We thank Patrick for this contribution!***

I recently used my Cisco Time2Give to help families in my local community via Toys For Tots. While I was there volunteering for 7 days, I was fortunate enough to do a little of everything from receiving toys at the warehouse to sorting the toys and filling orders, even delivering toys to a family. I will elaborate on my experience, but here is a short list of cool things that happened throughout my Time2Give.

• Working with Toys For Tots, in general, was pretty cool (details and pictures later)
• Seeing fellow Marines I’ve not seen since 2012
• Working alongside my new team (which we are all remote) and working with Cisco Partners from ePlus
• Getting to know people who were delivering toys (I always asked where the toys were coming from)
• My Toys For Tots journey
• Delivering toys to the house of a recipient family
• Shout out to fellow Cisco employees

Let’s go on down to the unit and dive into things.
Note: I am a Marine; I like books/blogs/reading material that has plenty of pictures… That’s right, reading material = pictures.
Other note: I promise there will be a lesson here for people working in (or aspiring to work in) tech.

General Coolness
Working with Toys For Tots (T4T), in general, was pretty cool. Just seeing the piles of toys coming and going. Getting to be a part of it. I do not have the metrics from this year as the current T4T campaign is just now coming to an end. I was able to get the metrics from 2020 though, and I expect this year’s numbers would be comparable.

• 27,000+ children received toys from the local T4T campaign (servicing North Carolina)
• Roughly 80,000 toys distributed
• $86,000 raised

Among the highlights of the campaign, for me, was when a U-Haul van filled with $28,000 worth of toys arrived:

It took a very long time to offload that truck. You cannot see all the bicycles under that massive pile of toys, but there were so many really nice bikes. I asked the driver where the toys were from, he said a family donates each year, and last year they did $22,000 worth of toys (I will revisit this later).

One of the Cisco Volunteers (Michael Dayton) started a toy drive in their neighborhood. Michael was collecting toys at his house, and then in the morning, he would bring the toys to the warehouse. Then the toys would be offloaded and sorted accordingly. Afterward, Michael worked the day helping with whatever tasks were waiting. One more thing about Michael, he is a former Marine (SFMF). The next photo shows just one of the toy hauls Michael and his neighbors collected.

Reconnecting With People
Something to note about the unit where we did T4T is that I was once a Platoon Sergeant at the same unit; with two other Sergeants (Hudson and Presslein). The uniformed picture captured the last night we were together (back in 2012). That night Hudson and I got pulled over in a taxi by 9 sheriff deputies, but that’s a topic for another time (maybe something to cover in a podcast episode of The Art of Network Engineering). The following picture is Hudson and I at our old unit, assembling bicycles for T4T.

I was also able to work with two other Marines from the old unit. One of them is Lewis, who is the CEO of SPOTR. He does a ton of great work for the community (locally and nationally) and does work with USVC. Hernandez is the Marine I was referring to in this tweet. This is one of the important lessons for people looking for a job in tech. She is about to graduate with a degree in cyber security, and she met cybersecurity professionals. They discussed which certificates to go for and why; furthermore, she received some excellent guidance with career development and job market trends. People also started reaching out to their networks to ask about vacant cybersecurity positions.

Team Building and Partner Relationship Building
Several people from my new team were able to join us, and working with my new team, in-person and sitting down together for lunch was huge! I believe it was an intense way for us to finish out our first year working together. It was also great that new relationships between my current team and people from my previous team were able to take root. Even more beneficial is that we worked alongside Cisco Partners from ePlus, which facilitated some Cisco Pre-sales Eng interacting with Cisco Partner Pre-sales Engineers (Brian Meade specifically – those in collab may know his name).

What’s The Story Behind The Toys?
I would get to know people who were delivering toys, and while talking with them, I would always ask about the background of the toys. Some originated from office toy drives such as a dentist or doctor office, others neighborhood toy drives, often a fire station (bring a toy and get to ride the fire truck), some veteran groups, and boxes outside local stores (Walmart, Target, Starbucks, Grocery Store, etc.).

What about the family who donated $28,000 worth of toys? The gentleman driving the U-Haul of toys is a local firefighter. He let us know the family lost their son in a tragic car accident in 2003. The family donates all those toys in honor of their son, and it is incredible how something so sad has also become something so amazing.

My Toys For Tots Journey
I joined the Marine Corps out of high school. This took me from New York to some yellow footprints, and I eventually landed in Huntsville, Alabama (for a few months to learn a job). While I was there, it was the holiday season, so we Marines helped with T4T. The best part of that experience was interfacing directly with the families. While giving a bicycle to a family, it reminded me of when I was a kid, and someone delivered toys to our place (good ole 1994). I remember getting a bike from him and wondering why, but not thinking much of it because I was psyched about the new ride. At T4T in Huntsville, I realized the deal with the toys and bike from that day back in 1994.

While on Active Duty that was my last time working with Toys For Tots; however, I joined the Marine Corps Reserve after my time on Active. This is important because Toys For Tots is a Marine Reserve initiative. So I was back to interacting with T4T during the holiday season while I was a reservist; however, I left the unit in December 2012 because I began working at Cisco in January 2013 and I wanted to put all my focus into Cisco.

While working in Cisco TAC (pre-covid) I used to work with several other veterans to help facilitate the T4T drive throughout the Cisco RTP campus. I eventually stepped away from Toys For Tots (having more kids, studying for CCIE, etc.); however, this year was my first time back since pre-covid and it was awesome!

Something I want to reiterate is, my experience and the experience of my fellow Cisco employees was made easy by Cisco providing us with Time2Give.

The Best Part
There’s a family about 20 minutes away from where I live today. The children lost their dad earlier this year, and a wife lost her husband. A mom and dad lost their youngest son, and two brothers lost their younger sibling. Assisting families during trying times is one of the most rewarding things I’ve ever done. I wish everyone who donates their time, money, food, toys, etc., could see the impact of their efforts because it is beautiful.

Shout out to fellow Cisco employees

• Michael Dayton
• Kenneth Onyebinachi
• Kyle Davenport
• Taylor Noumi
• Bill Davis (and wife)

Check out these other people from my team who are making an impact in their communities using Cisco Time2Give

Today I’d like to talk to you a bit about studying in public, how I go about it and some of the benefits it has given me the last few years. Studying in public, which I’ve mostly done on Twitter until I started writing for this blog is something I’d recommend everyone trying to learn something new do. In the following I’ll give two examples of me ‘studying in public’ and then give insight along the way and conclude with it’s benefits.

As weird as this may sound, my favorite thing to do lately as it relates to tech is parsing logs and pcaps. I’ve enjoyed getting introduced to tools like editcap, tcpdump, tshark, jq, cut, uniq, and sort and piping them all into each other to extract just the right information and display them in a pleasing way. The past few months I often see people on my timeline getting acquainted with python and if it has anything to do with reading in a file and doing some parsing then printing I’m often running through my mind ‘how would I do that in bash…’

One tool I’ve yet to touch, which I feel may level up my log and pcap ninja slicing is awk. One coworker of mine, and now my current FOR572 instructor casually use this tool to do some amazing things. So perhaps it’s time for me to dip my toe in the awk waters?!

As I’m writing this very sentence, I’ve still not used awk, I’m literally going to try it out right here for the first time. What we need though, is a task, so let’s look at Kirk Byers first set of exercises for his free Python for Network Engineers course. To be clear, I’m not saying you shouldn’t learn python or that doing everything from bash is ‘better’ but I think it’s fun to learn how to do things using multiple tools, and also, you may find yourself on a Linux server that isn’t connected to the internet, may not have a certain version of python installed or you are missing the python packages to get your script to run but chances are you will have common bash tools at your disposal. We move.

The first exercise in lesson one asks us to:

Create a Python script that has three variables: ip_addr1, ip_addr2, ip_addr3 (representing three corresponding IP addresses). Print these three variables to standard output using a single print statement.

Well we won’t be using python to do this, let’s try this with awk in bash. [15 min passes while I went to the google and tried a few things out]. I’m back and we do have ourselves a bash one-liner that will solve the first prompt:

$ echo | awk -v ip_addr1='192.168.16.1' -v ip_addr2='10.10.1.1' -v ip_addr3='172.16.31.17' '{print ip_addr1, ip_addr2, ip_addr3}'
192.168.16.1 10.10.1.1 172.16.31.17

What did I learn doing this first exercise? Well, first off, to set a variable with awk you use the ‘-v’ option. Furthermore, their is no syntax I could find to do multiple variables with one ‘-v’ option, instead, as shown above you have to do a ‘-v’ for each variable. With print we are able to print all three of our variables separated by a ‘,’ within brackets and a quotation. I am left with one question though:

I don’t understand why the command works with echo and doesn’t run the same way without it…what magic is echo doing here is the real question OR what is possibly missing syntax wise without echo. One cool thing about twitter is that people much smarter than me are willing to offer their time and provide insight, as Roddie and Quinn do here. I’m very thankful for having so many people out there helping me along 🙂

A quick aside, I often do learning in public, that was this blog post is and I think it’s helping me grow more than anything else. By posting what I’m doing, even if it’s the most trivial newbie thing it starts a lot of conversations. From other people learning at the same level as me or from more senior people showing best practices or alternative or faster ways to accomplish a task. I definitely recommend sharing what you are learning in some capacity on a platform where others can interject. You’ll learn a lot and make a few good connections along the way!

If you were curious how Kirk solved his prompt with python:

from __future__ import print_function

ip_addr1 = "192.168.16.1"
ip_addr2 = "10.10.1.1"
ip_addr3 = "172.16.31.17"

print(ip_addr1, ip_addr2, ip_addr3)

Another person who’s quick to help anyone learning is Kirk himself. This is yet another example of how studying in public can help open your eyes and give insight you’d otherwise be left in the dark about. For me, I’ve been doing a bit of tech stuff since the early 2000s. When I first started there wasn’t an online forum with people interacting. I thought I was doing ok, as compared to people in my office and those I interacted with, but today, with a bunch of people on line, I’m continually pushing myself and my boundaries of knowledge with people way smarter than me. So, even if I’m not being pushed were I’m at I have a whole world to help guide and help me grow now.

Looking a bit into awk it looks like I got a lot to learn, and once I get back into my bigger data sets at work I’ll dive deeper into it’s search and printing functionalities. I’ll also reference ‘Effective awk Programming’ Arnold Robbins on Oreilly Books. Did we learn a lot from this one example? Maybe not, but sometimes the first step is the hardest and I hadn’t written a post here on the Art of Network Engineering recently and I wanted to try and get back on the horse so to speak. If I’m able to break through in the next few months on the awk train, be sure to check back in for a more extensive awk walkthrough.

This was just one example of ‘learning in public’ and I found myself writing a script later the same night. Another thing I’m trying to navigate and get better at. I got help again when I was stuck and ended up finding out I could do my whole script in one line. I found out all these things in a matter of minutes and a good nights rest. If I wasn’t learning in public who knows how long it would of taken me to gain these insights.

If you are interested in the script you can follow this thread, or see the final version below:

for i in {0..599}; do
    echo -n "Status Code ${i} seen: " >> ./statuscode.txt
    tshark -n -r lab-1.2_capture.pcap -Y "http.response.code == ${i}" | wc -l >> ./statuscode.txt
done

sed -i '/seen: 0/d' ./statuscode.txt

This will give you the output:

$ cat statuscode.txt 
Status Code 200 seen: 1138
Status Code 204 seen: 28
Status Code 301 seen: 2
Status Code 302 seen: 44
Status Code 304 seen: 21
Status Code 307 seen: 1
Status Code 403 seen: 1
Status Code 408 seen: 6

But, after a good night’s sleep I realized you can get this all done in one line much more efficiently:

$ tshark -n -r lab-1.2_capture.pcap -Y 'http.response.code' -T fields -e http.response.code | sort | uniq -c
   1138 200
     28 204
      2 301
     44 302
     21 304
      1 307
      1 403
      6 408

So while I didn’t dive all the way in and provide a step by step tutorial I hope I was able to give you insight to another aspect of my learning style and perhaps it can help you when you are starting out on a new learning venture. I remember at first being a little nervous of putting myself out there or ‘sounding dumb’ and I soon realized everyone is out here beginning or everyone has at one time been a beginner. Will, that’s all today, happy learning!

Bert’s Brief (by @TimBertino)

Andre was gracious enough to let me give my thoughts on the “learning in public” concept. I share the same sentiment about getting started with writing publicly as you are learning something knew. I had the thoughts like:

• If I’m new to this, what’s the point of writing a blog post? Nobody is going to get anything out of this this, right?
• Do I really want to show the world that I’m a beginner in X, Y, or Z?

I’ve learned to throw those thoughts to side and I agree 100% with Andre. There are great benefits to learning in public, such as:

• Writing a blog post about something you are learning forces you to explain what you learned. You become a teacher, if you will. This can really help you better understand concepts. You do NOT have to wait until you are an “expert” in something to write a post or teach it to someone else. This was a hurdle that I had to get over.
• As far a blogs go as a method of learning in public; writing is a skill. Writing about what you are learning about allows you to practice the art and find your own style.
• You never know when you might bring inspiration to others. You could be greatly helping other people who are at similar points in their journeys.
• As Andre mentioned, just by posting a question on a social media platform like Twitter, you can make some awesome connections.

So, I encourage you; write that post, ask that question, practice your craft, and help others along the way. And if you need a platform to write blogs, connect with us here at the Art of Network Engineering!

With so many networking books out there, someone coming into networking could find themselves asking: are any of them any good??!

This blog post, in opposition of the title, are not the 5 best. Who am I to say they are the best?! I’ve been studying pretty good for the last two years now. Just the other night I realized when someone asked if a book was good or not that I’ve read quite a few pages over that time frame. Having read quite a bit I’m going to spend a bit of time highlighting what I feel are the best of the best, the must reads. These are all books that I’ve really enjoyed and content I’ve connected with since I started my journey.

Book #1

Junos Enterprise Switching and Junos Enterprise Routing

My absolute favorite book(s) on networking covers Junos. Both books are older than 10 years or so but filled with everything you’d need to understand the fundamentals of switching and routing. The books are Junos Enterprise Switching and Junos Enterprise Routing. The number one reason why these are great books is that they allowed their personality and humor to spill out. Every other paragraph has some bit of hidden humor morsels.

These books are even highly recommended from Juniper’s best Yasmin Lara and Art of Network Engineering’s own Carl. So even though these books are a bit older, their wit really shines and makes getting through all the nitty-gritty all that much more enjoyable. If you are just getting started in networking you can’t go wrong knocking these two books out first.

Book #2

Anything by Dinesh Dutt

From earliest to latest, Mr. Dutt’s books include BGP in the Data Center, EVPN in the Data Center and Cloud Native Data Center Networking.

Even if you don’t really know BGP yet or basic Data Center concepts, do not fret. These books are still for you. Why? Because Mr. Dutt does such a great job at breaking down each technology to a simple digestible nugget before building a beautiful tapestry that ties everything together.

Book #3

Cisco Software-Defined Access – Cisco Press

This book was just a joy. It might have had a lot to do with my studying at the time. I was in multiple ENCOR study groups and I’d committed to trying to lead the SD-Access section and this book laid out everything so that I could have a somewhat successful presentation. This book broke down how everything was automated to what was going on underneath the hood of the automation. Harnessing the internet, I watched Roddie Hasan’s Cisco Live presentations (which is an amazing free resource) and followed him on the twitter (you should do the same, super cool dude). If you were only to read one chapter, read chapter 6.

Furthermore, I had won a book giveaway by another author of the SD-Access book Jason Gooley and he sent me a few Cisco Press books so I just have a lot of good vibes from this book and the connections I’ve made from it.

Book #4

The ASCII Construct

The ASCII Construct is not a book, though it should be. The author of this blog writes in such a way that that it inspired me to try and write something. He explains things in pain staking detail not normally outlined or covered. So the tidbits you get on these posts are not found in many other places on the internet. Furthermore, the author, Aninda Chatterjee, is one of the nicest people I’ve had the pleasure of interacting with. He has given his time over and over again on questions about anything. A teacher of the highest quality.

Book #5

Network Programmability with YANG: The Structure of Network Automation with YANG, NETCONF, RESTCONF, and gNMI, First Edition

The last book I’d like to highlight is Network Programmability with YANG by Joe Clarke, Jan Lindblad and Benoit Claise. Everyone’s talking about network automation and I think this is the book that really breaks down a lot of the underpinnings in ways other books simply don’t match. This book is just well put together. Great, simple explanations with subsequent code examples with each chapter ending with a cool question answer with a different ‘expert’ related to what’s covered. This was a another book that stood out as an example to me as something I’d like to aspire to if I ever ended up writing some long form stuff.

Honorable Mentions

After reading this you may be wondering to yourself, I’m studying for xxx Cisco exam or what not, and not one OCG was mentioned. Truth be told, I’ve read quite a few OCGs and simply put, I just don’t like them. I don’t like being distracted by ‘do I know this already’ and ‘key terms’ and other certification type related sections. I prefer books that just discuss the technology. If I did have to choose my favorite author of these sorts of book I’d go with Kevin Wallace. My guy spent less than a year at Walt Disney according to his LinkedIn but I feel like I’ve heard 20+ stories about it going through his training, which I enjoyed.

Other books you should check out that I didn’t explicitly outline in the top 5 are: Automating Junos Administration, Computer Networking Problems and Solutions, Network Programmability and Automation, Routing TCP/IP, Volume 1 and Routing TCP/IP, Volume II.

Bonus

Since I mentioned one blog, and we are talking about learning content, I want to highlight some video content creators out there.

Video Creator #1

Calvin Remsburg

One such creator is Calvin Remsburg. He’s been streaming on Twitch (which I can’t find a link to at this time) and Youtube a bit over the past couple of years. His posts are long and if you get in on the live stream, interactive. He shares his point of view on all sorts of networking and automation concepts as he walks through a technology. Always felt he should have many more subs than he does.

Video Creator #2

Matt Oswalt

This was a short series and only covered one topic, git. Matt Oswalt ran a little series called Labs & Latte where he begins each episode with some cool piano notes and some latte art. If you follow my twitter feed you know I’m into coffee. In any case, the content here is just great. I hope Matt picks this back up in this sort of format. I understand you can find Matt on other channels with a white doctors coat on explaining network automation but I really like this format and presentation.

Video Creator #3

Network Collective

I got into watching their Wednesday night live streams when I was in Arkansas for work a few months ago. They do a cool trivia segment segment and plenty of demos with industry pros. Their production quality of this live stream is very good. At some point, once I climb all the way out of debt, I hope to become a paid subscriber. They have so much content out that once you get a bit hooked you’ll have a mini mountain of content to binge through. Since I’ve been back home on the west coast it’s been really hard to get home and tuned in to the live stream so I’m going to have to make this more of a priority 🙂

Final Bonus

Ivan Pepelnjak

Subscribe to this gentleman’s content. You could be watching an old network field day and hear this voice that’s just firing off question after question. Turning every complex technology into a simple analogy of another technology. I was introduced to Ivan in a Youtube video interview with David Bombal. I’ve since watched all the content I could get my hands on at ipspace.net and listened to all the episodes of his podcast Software Gone Wild. I heard recently he may be taking a step back a bit from content creation but will still be blogging. Whatever the case, make sure to check out his content.

Final Final Bonus

I have a long commute. So I listen to a lot of content as well. Here is a short list of my favorite networking related podcasts: The Hedge, The Art of Network Engineering, Full Stack Journey, Network Collective, Darknet Diaries, Software Gone Wild and History of Networking.

All for now, let me know what books or anything else I’ve missed and need to check out!

The third section of my SANS503 course has a huge section, the second biggest of the entire course, dealing with some 110+ slides on snort. I’m not here to give you the history of snort, IDS/IPS placement within your enterprise or any of that, instead I just want to introduce you to the basic structure of a basic snort rule. The most important thing to takeaway from snort rules is that there is no concept of ‘or’ within a rule. It either matches and does the action or it doesn’t.

First things first, if you’re going to create your own custom rules you’ll specify the location of this file in your overall snort configuration file [snort.conf] which is by default ‘local.rules’. At this point you will have to decide upon which text editor you will use to create and edit your new rules. This can become a contentious conversation for some. For me:

vim local.rules

A rule consists of two main parts, a header and a body. The header is mandatory and the body is not. There are seven mandatory options in the snort rule header:

Action | Protocol | SourceIP | SourcePort | Direction | DestIP | DestPort
-------|----------|----------|------------|-----------|--------|----------
alert  | ip       | any      | any        | ->        | same as| any
pass   | tcp      | IP       | #          | <>        | Source | #
log    | udp      | IP/CIDR  |            |           | IP     |
drop   | icmp     | !IP      |            |           | options|
sdrop  |          | $Variable|            |           |        |
reject |          |          |            |           |        |

The above chart doesn’t outline every option within each category but it should give you a pretty good overview of what’s possible within each spot. Most importantly, I’ll explicitly state that you can define vars in your snort.conf file and use those vars in your snort rule instead of hard coding them in the rule itself.

Here is an example of a header, including calling a variable:

alert TCP $HOME_NET ANY -> ANY $HTTP_PORTS

Now let’s dig into the body a bit and go over some common options you may find in a rule body. The first thing we need to do is to start the body, and to do this we use a ‘(‘ after the header. Then notice how the keyword and argument are separated by ‘:’ , ended by a ‘;’ and the body is ultimately closed by ‘)’.

alert IP any any <> any any ( \
     keyword:argument; \
     keyword:argument_1,argument_2; )

Below is an example of some keywords and arguments in an actual rule:

alert TCP $HOME_NET ANY -> ANY $HTTP_PORTS ( \
     msg:"I LOVE SNORT"; \
     sid:1000001; rev:1; \
     content:"big_poop"; \
     content:"SmellsBad", nocase; )

I’m pretty new at writing rules myself, but this is the format I like to use. After starting the body, I like to begin the body on a new line by using ‘\’ and having each keyword and it’s associated arguments having it’s own line. I find this much easier to see what’s going on if you have your rules written like this rather than all on one line. The ‘msg’ keyword will display in the log if this rule matches traffic so make sure you make it useful. Custom rules begin with a ‘sid’ of above 1 million and instead of making a new rule or ‘sid’ when you change something you can increment the ‘rev’ to keep track of the revision number. It’s also good practice to store your old rules, perhaps in a folder called rules.old so that you can rollback to a previous configuration of the rule if needed.

Content is probably the most common keyword to use within a snort rule. It will search for the content within the packets payload. The ‘nocase’ keyword simply tells snort that you don’t care about case and will match any case that matches your ‘content’ argument. You can further optimize the rule by telling snort where to look for the content by using the offset and depth keywords. Offset tells snort where to start looking, with offset 0 being the very beginning of the payload and depth tells snort how many bytes to look in.

alert TCP $HOME_NET ANY -> ANY $HTTP_PORTS ( \
     msg:"I LOVE SNORT"; \
     sid:1000001; rev:1; \
     content:"big_poop"; offset:4; depth:20; \
     content:"SmellsBad", nocase; )

Beyond offset and depth, there are two relative pointers you can use. Distance will tell snort where to start looking for the content relative to where snort left off in your previous content argument. The within keyword is designed to be used with distance to instruct snort how many bytes to examine after it determines the starting point to search.

alert TCP $HOME_NET ANY -> ANY $HTTP_PORTS ( \
     msg:"I LOVE SNORT"; \
     sid:1000001; rev:1; \
     content:"big_poop"; offset:4; depth:20; \
     content:"SmellsBad", nocase; distance:20; within:10)

Now I know there are a bunch more ways to further optimize or specify your rule but this is only an intro to snort rules in general, not a masters thesis. With that said one fun thing to do when adding on to your rule or creating your rule for the first time is to run it against some traffic. If you have a pcap, look at the details of a packet and try to create a rule that will match that traffic.

You can run snort on a pcap by using the ‘-r <filename>’ option and then point to your snort conf file with the ‘-c <filename>’ option. Furthermore you can specify a filename for your log using the ‘-l <filename>’ option:

snort -r http_extract.pcap -q -c etc-snort/snort.conf -A console \
     -l rule_test.log

One last tip, when creating your rule it’s a good idea to create it line by line. After you add a line, specifying your rule further, test it against the traffic it’s designed to alert and make sure it’s still working they way you want before moving on. This makes troubleshooting your rule easier than if you go all out creating a multiple line rule and then realizing your rule isn’t catching traffic.

If you have further tips, feel free to leave a comment to let me know. I’m just starting myself and understand this is the best time to start building good habits 🙂 Till next time!

Bitcoin continues to be pioneering as the currency continues to hit all-time high every new season, particularly in 2020.. As at the time this article was written. It currently trades at $26,765. But one of Crypto’s interesting applications is not that individuals trade it to become richer. It’s about solving big challenges that make money for you. It’s about turning capitalist greed (the burden of making payment across countries) into unselfish open-source software.

Crypto doesn’t really have the best rep in the tech world, just about the same thing that happened when the internet started. But Crypto is just a slice of the cake. People often don’t talk about the technology in which Crypto is built upon, that is called “Blockchain.”

The term “Blockchain” always comes to my mind when I hear or read the word ” Cryptocurrency.” But the media frequently correlates “Cryptocurrency” with “illegal transactions.”

In this article, we will briefly examine how valuable the implementation of blockchain technology is being developed, as well as how this offers an enormous opportunity for individuals who study Network Engineering.

With Blockchain What Can You Achieve?

Beyond cryptocurrency, there are interesting things you can achieve with a blockchain:

1. A Data Which Does Not Change: A company like Twitter is a privately owned social media company. This means that the data can be changed at any time by anyone who has access to the company’s admin database. Unlike a company like Twitter and other Web 2.0 companies, a blockchain is owned by no one, meaning that no single owner can serve as a single source of information for other users.
2. Digital Scarcity: In a blockchain network, data may be owned by other users, but cannot be copied and distributed to other users. This gives value to an asset the user owns.
3. Payments: Since cryptocurrency has been integrated into the blockchain, sending valuable assets in the form of tokens such as Bitcoin, Ethereum, etc. has been made possible and smooth.
4. User Identification & Data Privacy: This one marvels me a lot because this is what Web 3.0 (Blockchain Web) is built upon. With user identification, a user is given a single blockchain address to sign into all web pages/web applications on the web. We will talk more about this on the next section. With data privacy, a user can control who has access to their information. For instance, if a user logs off a site, the site owners can no longer access their data directly. Unlike Web 2.0 in which the site owners have user credentials stored in their database.

Web 2.0 vs Web 3.0

With Web 2.0 a user has multiple means of identification on the internet. They can also have multiple identification to the same website. One user can have a G-mail, iCloud, or an outlook user identification.

But with Web 3.0 which leverages blockchain, the case is different.

On Web 3.0, different blockchain have their network, their community participants and a software which acts as a wallet & form of identification for accessing this network. The most popular blockchain network at the moment is the Ethereum network and it is powered by a popular software called Metamask. This means that on an Ethereum network, they are several websites inside the network. And to log into each of these websites, users only need a single Ethereum blockchain address.

Payments on eCommerce websites are also made with the cryptocurrency of the blockchain network.

Users can even build their network, with its own cryptocurrency. That is why you see new cryptocurrencies every day.

Okay, if you are non-IT reader who just wants to know what the future web you might be using soon will look like, you can stop here. One interesting value I feel blockchain is bringing in the telecommunication industry is a proof of location protocol.

FOAM Proof of Location Protocol

Okay, when I say FOAM, I don’t mean the comfy soft material used in making beds. FOAM is a startup who is providing value for people who think that they deserve to have control over who get access to their locations at all time.

For satellites to get the location of a device who has a GPS installed, the GPS sends a signal to the satellite 🛰️, then the satellite calculates the difference in time of arrival, and distance of this signal.

The FOAM protocol also applies this approach of using four objects (called Zone Anchors) with specialized IoT hardware so they can synchronize themselves over the radio signal they are receiving from the device which came into the area.

In case you are wondering, why does the satellite or the Zone Anchors have to be four to locate an image?

As each data from one satellite places you in a bubble around the satellite, you need four satellites. You can narrow the possibilities to one single point by evaluating the intersections.

Drawbacks with Depending on GPS

1. It has a single point of failure, which are satellites. The New York stock exchanges use GPS to automate trades, ATM and card transactions require location data, all transportation machines use GPS, etc. So, having redundancy is extremely important.
2. It’s susceptible to signal jamming
3. A GPS received can be deceived with a wrong GPS signal

How Does FOAM Blockchain Provide Opportunity for Network Engineers

This location-based protocol implementation using blockchain proves that a time where all things will be connected securely with 5G is bright and approaching rapidly. And it provides countless opportunities for people who will study network engineering because these engineers will be the one configuring and maintaining these devices.

The first step to starting this journey, is by taking the Cisco Certified Network Associate (CCNA) exam. This is because this certification has a low barrier to entry, it provides a positive force in the society (IoT, Blockchain, etc.), and lastly it has a global impact.

Another reason is that this implementation proves that blockchain technology is promising, and blockchain uses distributed system technology which will sky rocket with 5G, meaning that a lot of automation will be achieved. Network engineers have begun taking on automation, by studying the Cisco Development Network Associate (DEVASC) you have the opportunity to be skilled enough to take on this new opportunity.

Additional Reading & Resources

• Read this white paper to learn more about FOAM protocol
• The entire global financial system depends on GPS, and it’s shockingly vulnerable to attack
• Metmask a crypto wallet
• What is a Single Sign-on?
• Illustration of how a GPS works
• Global Positioning Satellites (GPS) systems
• Why GPS Positioning requires four satellites
• The exploration in the future of 5G and Blockchain

Apply & Win a complete CCNA kit from The Art of Network Engineering Team

When learning, I often try to do as my teacher. For example, when I went through Kirk Byers free network automation course he used Vim exclusively which meant I got to get pretty comfortable with it myself. Now that I’m on to day 2 materials of my SANS SEC503 course I find myself getting deep into tcpdump. In day 1 a lot of things could either be done with Wireshark or tcpdump but in day 2 there is a bigger emphasis in getting the most out of tcpdump. The instructor seems to really fancy utilizing tcpdump filters over looking things over in Wireshark so I might as well buckle down and do as my instructor once more! Furthermore, as I’ve experienced in person and discussed in this class, attempting to open a very large pcap in Wireshark is most likely not to go well. Instead, we should be able to narrow our search and extract a smaller subset of data in tcpdump before we open it up in Wireshark. What better way to grasp the material than attempt to explain it! Strap in!

To get to where we need to I will need to introduce a few things before we get our hands dirty using filters in tcpdump. To start, let’s explore one of the most famous interview questions, at least at the junior positions in tech, the tcp 3-way handshake. Below is Figure 7 from RFC 793, Transmission Control Protocol.

      TCP A                                                TCP B

  1.  CLOSED                                               LISTEN

  2.  SYN-SENT    --> <SEQ=100><CTL=SYN>               --> SYN-RECEIVED

  3.  ESTABLISHED <-- <SEQ=300><ACK=101><CTL=SYN,ACK>  <-- SYN-RECEIVED

  4.  ESTABLISHED --> <SEQ=101><ACK=301><CTL=ACK>       --> ESTABLISHED

  5.  ESTABLISHED --> <SEQ=101><ACK=301><CTL=ACK><DATA> --> ESTABLISHED

          Basic 3-Way Handshake for Connection Synchronization

We can see 2 flags being sent along with sequence and acknowledgement numbers to establish the connection, namely, SYN and ACK.

SYN – Session init request by client
SYN/ACK – Server response to SYN, reflecting a listening port
ACK – Acknowledge data, flag should be set on every packet afer the init SYN

Now let us look at the TCP Header to examine where these flags exist, also taken from RFC 793.

TCP Header Format


    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |          Source Port          |       Destination Port        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                        Sequence Number                        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Acknowledgment Number                      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Data |           |U|A|P|R|S|F|                               |
   | Offset| Reserved  |R|C|S|S|Y|I|            Window             |
   |       |           |G|K|H|T|N|N|                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |           Checksum            |         Urgent Pointer        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Options                    |    Padding    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                             data                              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                            TCP Header Format

To understand what we are looking at in the header we must first understand how it is broken down. Each number across the top numbering 1 – 8 represents 1 bit. 4 bits = 1 nibble and 2 nibbles = 1 byte. For example, the first field titled ‘source port’ is 2 bytes/4 nibbles/16 bits long.

The next thing we need to understand before we dive into tcpdump is offset numbers. When looking at the tcp header diagram above, starting in the top left corner, every byte will be one offset starting with 0. Thus, if we look at ‘source port’ it’s contents take up both offset 0 and 1. Offset 0 would by the high order byte and offset 1 would be the low order byte for the ‘source port’ part of the TCP header.

Explaining high order vs low order could be a post of it’s own i suppose, but for our purposes here i’ll try to summarize it into two sentences. If a number is on the left it is usually of more importance in that it effects the overall number more than a number on the right. If you change a number in the tens place [left] you cause more overall change than if you change a number in the ones place [right].

To get back to the TCP handshake, we can see all the flags are located in offset 13. Again simply count each byte starting at 0 from the top left to find out your offset number.

TCP Header Byte Offset 13 [1 byte/2 nibbles]

CWR | ECE | URG | ACK | PSH | RST | SYN | FIN

Besides SYN and ACK we find the following additional flags:

PUSH – Send data
URG – Signal for out-of-band data
FIN – Graceful termination
RST – Immediate termination
ECE, CWR – Explicit congestion notification related

Alright, now that we have a bit of background taken care of let us get to our first problem to solve. Use tcpdump commands to find TCP establishment attempts from clients to servers. From this filter we will be able to derive things such as what server ports did the clients attempt to establish a connection with.

First part of the question, find TCP establishment attempts, this would require the SYN bit be set to be turned on. In the following i’ll show you what this will look like in offset 13. First in binary and then converting to hex which we will need for our tcpdump filter.

 8     4     2     1     8     4     2     1
CWR | ECE | URG | ACK | PSH | RST | SYN | FIN
 0  |  0  |  0  |  0  |  0  |  0  |  1  |  0
          0           |           2
                    0x02

Thus, our first tcpdump command and filter will be a variation of:

tcpdump -r <file.pcap> -nt 'tcp[13] = 0x02'

The ’13’ is the offset within the tcp header we are matching and ‘= 0x02’ means that we are only matching to the SYN packet being set which I think is easy to visualize when looking at the binary conversion we did above. The tcpdump option of ‘-r’ is simply reading the file that follows meanwhile ‘-n’ suppresses hostname lookups and the -t option hides the timestamps in the output.

Sample output from a single matched packet:

IP 192.168.10.59.55796 > 192.168.10.7.25: Flags [S], seq 2766660809, win 29200, options [mss 1460,sackOK,TS val 86960251 ecr 0,nop,wscale 7], length 0

In this request, we can see that the client attempts to connect via port 25

Let’s say we to run through the entire pcap file, pull out the port numbers and only display the unique ones we could run the following:

tcpdump -r <filename.pcap> -tn 'tcp[13] = 0x02' | cut -f 4 -d ' ' | cut -f 5 -d '.' | cut -f 1 -d : | sort -n | uniq -c
reading from file <filename.pcap>, link-type EN10MB (Ethernet)
      32  25
      32  53
      384 80
      15  445
      2   999
      1   4444

The cut tool is a fast way to parse text in linux. The -f option specifies which fields you want to capture while the -d option specifies what separates the fields. I created the above command by cutting up the first 20 packets till I got what I was looking for and then ran my filter on the entire file. To limit the amount of packets in the file you can use either the -c [number] option on tcpdump or | head.

To solidify our understanding let’s try to see the servers response or in other words, the classic SYN ACK.

To visualize what we need to do in our tcpdump filter let’s break it down to what that would look like in offset 13:

 8     4     2     1     8     4     2     1
CWR | ECE | URG | ACK | PSH | RST | SYN | FIN
 0  |  0  |  0  |  1  |  0  |  0  |  1  |  0
          1                       2
                     0x12

Above, we’ve turned on the ACK and SYN bits in accordance with the tcp header diagram. Translating both nibbles into hex we end up with 0x12 and thus our filter would look like ‘tcp[13] = 0x12’

tcpdump -r <filename.pcap> -tn 'tcp[13] = 0x12'
reading from file <filename.pcap>
IP 192.168.10.7.25 > 192.168.10.59.59756: Flags [S.], seq 2725832514, ack 2766660810, win 28960, options [mss 1460,sackOK,TS val 85610818 ecr 86920651,nop,wscale 7], length 0

In tcpdump a SYN ACK will be displayed as ‘[S.]’ in the flags section. If you wanted to cut out the specific ports you can use the -c of tcpdump of the first 10 entries until you get your cut filter displaying what you want like we did in the first example but I won’t demonstrate that again here.

Did you know we can use a mask with our search filter in tcpdump?!  Amazing right! This is what actually prompted me to write a blog about tcpdump filters in the first place. As you can see it took a bit of work to make it to this point but here is where things get fun.

Let’s say you wanted to create a filter that will display all packets that has either a FIN or RST flag set.  In other words, we want to look at all the termination packets.

To do this, we want to have a mask that will ignore all of the bits except for what we care about, namely, RST and FIN. In the following I’m going to write out the same visualization I did when we came up with the mask above except I’m going to put an ‘x’ instead of a ‘1’ on our important bits.

 8     4     2     1     8     4     2     1
CWR | ECE | URG | ACK | PSH | RST | SYN | FIN
 0  |  0  |  0  |  0  |  0  |  x  |  0  |  x
          0                       5
                     0x05

Since we are still in the 13th offset of the tcp header that remains the same. We attach our mask with the ‘&’ operator.

tcpdump -r <filename.pcap> -nt 'tcp[13] & 0x05 != 0'
reading from file <filename.pcap>
IP 192.168.10.61.57956 > 192.168.10.7.25: Flags [F.], seq 1, ack 1, win 229, options [nop,nop,TS val 86920662 ecr 85610828], length 0

‘!=’ simply means not equal to. In this specific case we are saying if either of the bits we care about are turned on or both of them are turned on, we want to see them. In the tcpdumps flag section a termination will show either [F.] or [R.]

For our final act let’s write a filter to match on TCP connecting on port 25 with both PUSH and ACK flags set and any other flags maybe set. You can tell hopefully just by reading this that we will need to use a mask since we see a ‘maybe’ in our problem statement.

 8     4     2     1     8     4     2     1
CWR | ECE | URG | ACK | PSH | RST | SYN | FIN
 0  |  0  |  0  |  x  |  x  |  0  |  0  |  0
          1                       8
                     0x18

Since we want both flags to be set, not either, we won’t use ‘!= 0’ instead we will make it ‘= 0x18’

tcpdump -r <filename.pcap> -tn 'tcp dst port 25 and tcp[13] & 0x18 = 0x18'
reading from file <filename.pcap>
IP 192.168.10.61.59756 > 192.168.10.7.25: Flags [P.], seq 15:108, ack 118, win 229, options [nop,nop,TS val 86920654 ecr 85610820], length 93: SMTP: MAIL FROM:<andre@bigpoop.net> SIZE=424

‘tcp dst port 25’ is a macro, meaning it can be run it as is instead of writing out which specifc bit in a offset needs to be on or off to work, someone wrote out a macro to make it easier. One other thing to notice in the filter above is that we used ‘and’ to connect the macro with our other search parameter and mask. So you can connect two search parameters with ‘and’ and you connect your search parameter with your mask with ‘&’

Let’s say you didn’t know the macro existed, you could look at the TCP header and see which offset the destination port is. Go ahead, go and count from the top left, each byte and see if you can get the correct offset numbers. Did you get it? Destination port numbers are set in offsets 2 and 3 and to get up to 25 like the original question asked above we only need the low order byte, offset 3.

So instead of writing ‘tcp[13]’ like in all of our previous examples remember that we are in offsets 2 and 3 here. The following is the logical equivilant to ‘tcp dst port 25 and tcp[13] & 0x18 = 0x18’ The purpose of this section is just to specify what is happening under the hood so to speak when you write out ‘tcp dst port 25’

'tcp[2] = 0x00 and tcp[3] = 0x19 and tcp[13] & 0x18 = 0x18'

Also, as is the case in many different aspects of IT, there is more than one way to accomplish the same task. In this case, instead of using ‘tcp[3] = 0x19 and tcp[2] = 0x00’ we can shorten this up as ‘tcp[2:2] = 0x0019’ which means we are starting at the 2nd offset and matching the next 2 offsets.

It’s been pretty fun learning about packet headers, hex and binary conversion, creating filters to include masks as a tcpdump filter option. The best part about learning about packet headers is that you can do so pretty easily. Tcpdump and Wireshark can be installed simply and support is everywhere. You can start capturing your home lab within a few minutes! Also, networking instructors like Nick Russo have made pcaps highlighting certain types of traffic publicly available. I’m planning on updating my progress as it relates to filters as I dive deeper into SEC503. I hope you’ll join me 🙂

We are about to wrap up a year where the word “unprecedented” has been heard and read by each one of us dozens of times. You’ll hear it once more from me. Many of the plans we made last year were derailed. Families and jobs have been affected. The world has been in turmoil. Even though so much has happened, we have adjusted. We’ve found ways to continue moving forward and that is where we have found our strength, in the adjustment. As people working in IT, we know more than anyone that things can change at the last second. Even when projects seem to be going right on track, a last-minute call can take the team in a different direction. I just wanted to write about two ways IT has adjusted during this unprecedented year. There is value in being able to measure, adjust, and make the change.

BasementVue

Over the years I’ve taken certification tests and they have all been in a quiet controlled environment. I expect to show up, jam my personal belongings into a small locker, and do my best not to make eye contact as I walk to my isolated test center PC. If you’ve taken a certification test, that has most likely been your experience. However, if you have recently taken a test it has probably been in a makeshift test center you created at home. This year I took my Palo Alto Certified Network Security Engineer (PCNSE) exam at home. I could hear the water coming down the pipes above me as the kids took their shower. It was…different. I taped a paper on the basement door that said “Do Not Open – Taking Test!!!” As instructed by the test engine instructions I took pictures of my entire area, submitted them, and waited for the test to begin. I am not sure how many minutes went by, but it felt like the test would never start. I am not sure if that was just me, but I tried not to click on anything just in case. The entire time my mind kept racing “What do I do if my internet starts having issues?” “What if the kids think dad is playing hide-and-seek?” It did not happen though. No fiber cuts and my wife kept the children entertained upstairs. I passed the test. It was different than driving in to the nearby college test center, but it was comfortable. I’d do it again even as things continue to normalize. Or until the fiber cut happens. As you continue to study for your certs, know that taking a test at home is a perfect way to add a win. Depending on your situation, you might not be able to sit at home and take a test.

Short Commute

As the pandemic continued to impact the world, businesses sent their workforce home. Schools were forced to jump into the world of distance learning. Church services were now video-only. For many, it was like an unexpected bucket of cold water being dumped on them. Everyone was scrambling to figure out how to keep things going remotely. IT teams all over the world were at the center of that change. I found myself looking at redundancy and security. While we were not fully remote prior to the pandemic, the framework was already there and being used. Once our offices were told to stay remote, we began to make sure our services were redundant between data centers. A single failure could disconnect our users. We had to ensure the services people used on-prem were available to all. It led to many meetings, change requests, and work. In the end it made the business stronger. These are the opportunities where IT needs to take to come up with solutions that the business can latch on to. How can you help the business adjust? 2020 has opened the eyes of many business globally. Remote work was something that many businesses did not subscribe to or did not know how. Today we are finding out that we can run at the same pace if not faster remotely. As a network engineer, unless I need to physically touch something, I can do my work from anywhere in the world. Being remote has not only extended our network’s reach, it has also placed our focus on security. With people not centralized in offices behind firewalls and other protections, teams have had to figure out how to secure those users while they are at home. A user sitting at home might be a bit more comfortable and let their guard down. Security training, endpoint protection, multi-factor authentication and DNS security existed, but now they really needed to be paid attention to.  Things might eventually go back to normal or they might not. No matter what your business decides to do, be prepared to adjust and provide those needed solutions.

Your guess is as good as mine for what next year will bring. 2020 has been one for the books. One that none of us will easily forget. However, no matter what happens next year always be prepared to adjust. Things can change in minutes and how you react matters. There is value in adjustment.

Standing at the bottom of the mountain looking up is where I find myself yet again.

I joined the Air National Guard full-time in the summer of 2018, 36 years old and beginning what is my 4th, 5th or 6th career or life stage so to speak. Getting back into IT wasn’t something I planned on, instead, I found myself at a pretty ‘OK’ job with benefits going into my mid 30s but not really gaining any transferable skills if I were to lose said job.

Starting as a 3d1x1, or in regular type talk, I was a generalist help-desk person. If you can’t get your email to load, send or save you called my office. If a certain website isn’t loading to your liking, you call my office. If you can’t access a certain file, you contact my office. Basically, if anything doesn’t work to what you’d expect my office would be the first to hear about it. This was my introduction back into IT, and to be quite honest, it was a nice way to be eased back in. I got to see and diagnose a wide variety of issues and learned who did what beyond my scope of responsibilities.

Before long, I started studying networking during my off time. It all started by attending a Cisco CCNA Security Cohort training. This training also came with an ICND1 and CCNA Security exam voucher. I was once CCNA certified way back in 2002 so a lot of old neurons began reconnecting and I was able to make gains rather quickly. In 2019, I cleared CCNA Security, Cloud and Routing & Switching. I moved to Junos and cleared JNCIA Junos, DevOps, Design and Cloud. I did a bunch of other training but nothing that lead to clearing any more certifications yet most importantly, my confidence was starting to grow.

A job opportunity opened up in my organizations infrastructure shop as a 3d1x2 in late 2019 and after a short interview process I was added to the team. Due to being short staffed I worked in both my previous position and my new position for months before being allowed to fully relocate. I got to do a whole bunch of new things, such as, racking and stacking equipment, running cables and on-box troubleshooting/configuration. This was a very fun and welcomed change of pace and yet another opportunity presented itself, a position on my organizations Mission Defense Team. I started on this team, albeit remotely for the most part, about 10 weeks ago.

It is here where I find myself in what feels like the bottom of the mountain again. The Mission Defense Team is a new type of position/shop being developed within the Air Force providing everything a ‘Security Operations Center’ would do. I’m to stand up this shop with five other individuals, of which, most have never been security analysts up to this point. So the task is a large one. We have our equipment but have a lot to learn to truly harness our equipments capabilities.

Where to Start?

There is soooooooo much more to learn to feel like i’m even at the ground level of where I need to be. I read one post that laid out a four year learning plan. Since starting, another thought that continually enters my head is: How does someone jump straight into security. I know security is a ‘hot job’ and what not so a lot of people are going after that money but I can’t for the life of me understand how some ‘starts’ with security. There is so much ground work to be done. In short, it seems like to be proficient, you have to be pretty good at all the things.

Since I’ve been somewhat tied to learning a lot of Cisco due to being on their e-learning platform, I went through their CyberOps Associate training. I found this training to be a great introduction to a Security Operations Center and thought the labs shined as they were the best part and key to learning the basic principles presented.

I’ve also dived into two books:

Network Intrusion Detection, Third Edition by Stephen Northcutt and Judy Novak

– I’ve made it through the first 2 chapters and I really love this book. A lot of the first two chapters was review but the way it was presented with just the slight bits of humer was delightful.

Applied Incident Response by Steve Anson

– I made it to chapter 6 of this book and it was at this point I switched to reading the book just previously discussed. The fact that I switched books doesn’t mean this book is ‘bad’ and I will come back to tackle this one! This book is a bit more advanced and you can really just take your time going through a good three paragraphs as you go on and read all the linked to references.

Where to Go?

This is quite possibly the most important question. I’m always tinkering with my ‘study plan’ and how I should go about sharpening my toolset. My work is going to put me through a SANS course, specifically SEC503 which should take up most of my time.

Besides that, I’ve started trying to follow and locate different ‘InfoSec’ people on the InterWebs. Most notably, I’ve started watching a few YouTube video’s on the Cyber Mentor’s page.

What I’d really like to know, and the purpose of this post, is to ask you, the reader, what do you think I NEED to study/do as a person just getting into this security domain? If you have any suggestions, feel free to hit me up on the twitter and let me know. I plan to keep posting along this journey and let you know what mile posts are in the rearview. Till next time!

This article first appeared on Tim’s blog, carpe-dmvpn.com

Recently I saw a post where different network engineers I really respect gave advice for new network engineers and it got me thinking. What would my own rules be, if I were trying to hand down some wisdom (as if I were wise) to someone starting in the field?

Credibility is the most important thing you possess.

• More important than knowledge, connections, recognition and fame. Knowledge, connections, recognition and fame can be gained, lost, and regained. Credibility is a one-use item. Once lost, it is gone forever.

Own every mistake, no matter how stupid, no matter how large.

• Even if it means getting fired. The truth always comes out, somewhere things are logged, evidence can be correlated, etc. A mistake is a mistake and can be forgiven or at least understood. Hiding it, covering it up, and denying it will damage your career far more than a human error ever would. This industry is smaller than you think, you don’t want that reputation to follow you.

Trust but verify.

• If the sysadmin says the DHCP server is ‘having issues’, if the DBA says the database replication is ‘running slow’, if the infosec guy says there are strange traffic patterns, trust their expertise as you expect them to trust yours. Don’t be in such a hurry to push them away so you can get back to your own work. Be methodical. Take the extra time. If you give a noncommittal ‘No one else is having problems’ all you’ve done is ensure that person will be back with potentially useless evidence in five minutes, or worse, a critical incident is opened and it might be the network after all. Tell them what you need to further investigate, help them help you prove it’s not the network.

When there’s a fire, be the firefighter, not the police.

• In places with very punitive leadership, often a critical incident is less about restoring services than it is about clearing yourself as a suspect. If the hot potato is yours, there’s no point trying to hand it off, so don’t waste time. Similarly, when another team is desperately trying to blame you to save themselves, don’t panic. The root cause is the root cause already, it’s not going to change. Get services restored. Investigation comes later. By the time you are working on a critical incident it’s too late to panic about whether or not it’s the network. Above all, remember Rule #1 and Rule #2.

Wireshark doesn’t lie.

• No matter what strange things are happening, no matter how much it seems to be the network causing a problem, get a packet capture. I once implemented DHCP snooping and the next day DHCP was failing everywhere. After a Wireshark capture, it was proven to be an infosec security scanning application that locked the DHCP database on a Windows server so no new leases could be recorded. Wireshark showed the NACKs from the DHCP server rescinding the leases because it was unable to record the lease in the database. Critical incident root cause determined, not the network even though all the ‘evidence’ pointed that way. Get a packet capture.

When you are proven right, don’t be a jerk about it.

• Everybody gets to ride the Right and Wrong carousel from time to time. Your coworkers will appreciate the humility and understanding, and you’ll strengthen bonds instead of cutting them. There’s rarely a prize for being right, but there’s always one for being a jerk about it. Hint: It’s not a prize you want.

When you are proven wrong, don’t be a jerk about it.

• Don’t make up excuses for it. Don’t blame others (even if you believe others are to blame). It’s not a good look. If someone throws you under the bus, that will come out later when they do it to another. Guard your credibility. Everyone is wrong eventually, but how you act when wrong is how people will remember you.

There’s no such thing as being irreplaceable.

• Don’t hoard knowledge and don’t try to become Brent from the Phoenix Project. If Brent had been a cantankerous ass who refused to train anyone, he would have been a liability, not irreplaceable. In short: Job security is in sharing what you know and helping the team succeed, not in being the only one with the keys to the kingdom. Someone like that is a threat to an organization, not an asset, and they will be dealt with eventually.

Automation isn’t the cure for human error.

• It can minimize the occurrence, but make the blast radius global. Say it once more, with feeling. Automation allows you to screw up at scale. As the industry embraces network automation, remember that without understanding networking, how can you trust what you are automating?

Expertise is the result of experience.

• All experience is useful. I’ve learned a lot from labs, from production, consulting, reading, watching videos. I’ve learned more from failure than success. Those who shortcut expertise doom themselves to a career of chicanery. Yes, I’m talking about cheating. Stop a moment and consider the end result of passing a test without the expertise associated. What is the next step, exactly? Will your next job have a dump of their network for you? The sad fate of these people is they tend to bounce from job to job quickly, as their lack of expertise is uncovered. Don’t doom yourself to a career of jumping around as you get discovered as a fraud. It’s far easier to just learn expertise than to fake it.

So, I came up with ten. I could have done far more but that was the idea, 10 essential rules. I’ll present them here, and I’m curious how you feel about them. So curious that I’m actually updating my blog.

By the way, here’s a link to that post, it’s far better than anything I can write. https://twitter.com/rowelldionicio/status/1262874206233980928

This article first appeared on Ben’s blog – packitforwarding.com

I don’t know about you, but this year has really kept me kind of down. I really missed seeing friends at tech conferences this year and I’m starting to go a bit stir crazy limiting my travels to about 10 miles from home. That’s why I am inviting you all to participate in a little fun.

I’m proposing a Geek to Geek exchange. Starting now and until November 13th, I will be accepting participants using this form.

I want this to be fun for all so please be considerate of others. Only sign up if you can commit to sending something (possibly internationally) by December 15th. The packages don’t have to be elaborate, just a little fun to make someone’s day. Who doesn’t like getting a package in the mail? Please no bag of dicks or other such “novelty” sites.

I promise that all data collected will only be shared with your secret Geek match and that it will all be securely deleted after the event is over.

This article first appeared on David’s blog, https://zerosandwon.blog/.

If you are reading this, you are probably trying to study and a very important question has come up: “How do I even make time?”. I look across social media and that is one question that seems to be a concern for many of us. Whether you are studying for a certification, class or even to acquire a new skill, time must be dedicated. If you can show up at every test without taking the time to study and you ace each test, there is no need to read further. However, if you are like the rest of us who often struggle juggling work, family, and everything else that comes behind it, the next few paragraphs will hopefully provide some encouragement.

I’ll be honest, I can be a bit lazy at times. Why not? I deserve it don’t I? Don’t we all? My main struggle when it comes to studying is a mix of procrastination and laziness. “Tomorrow is a better day!”. “I am starting next week!” “I am going to start the week after!” These are some of the things that come to mind when I want to sit down and dive in to any type of study. However, I’ll then turn around and burn through a couple hours of Xbox. It makes no sense. Gaming is great, but gaming is not teaching me the necessary skills I need to progress at work or to implement a specific project. Studying will. Yet, my approach to studying is often lackadaisical. When I started studying for the Cisco Certified Network Associate (CCNA) years back, procrastination was my main problem. The appetite for studying was not really there. Since there was no hunger for it, other things began to distract me. At work, other’s would fill me in on how their studies were going. One thing I noticed about those that were studying…they were learning. They were able to apply what they learned at work. That flipped a switch. For myself, recognizing that the journey to the CCNA was slightly more important than the CCNA itself made a difference. Sure, you can take a test and pass it…but did you learn anything? Are you able to apply the concepts you learned to real-life business scenarios? Memorizing terms is one thing, but knowing what those terms are is another. Having the need to apply what I learned to make myself and the business better pushed me to complete the CCNA. I was already in a Network Engineering role when I started the CCNA journey so it was a little easier to apply learned topics to those real life scenarios. Many who are reading this might be working their way towards their role of choice and studying at the same time. There might not be a place right now where you can apply the learned concepts. There will be. Those doors will open up. The important part is getting the hunger to study. If you do not make it a priority, something else will fall in its place.

When it came to pursuing my Cisco Certified Network Professional (CCNP) cert, the problem was no longer procrastination. I was on fire to reach another level and continue learning. However, mine and my wife’s time was now spent on learning how to be parents. My son was just born when I started studying for the CCNP Route exam. There was a new priority, my son and he needed to remain the priority. No matter what, family will always come first. Studying, gaming, even coffee will come after. So now it was a matter of finding the time to fit in studies where I could. I would return from work and I wanted to help my wife with my son. She was tired and I wanted to give her a break. The studying happened, but it was not as much as I wanted. I would find time at night before sleep, during the baby’s naps, and on the weekends. I’d say no to hanging out with friends just because that was valuable time I could use to try and lab subjects I was reading on. It took me three tries to pass the Route exam. Now, I am not going to blame my son for that (maybe), but I was able to pass it. Each time I failed I made sure to double-up on studies on the areas I felt weak in. Each time I failed I did feel a little deflated. My wife always encouraged me to go study and to not worry about everything else. At this point, my purpose for passing was just not to apply learned concepts to business scenarios, but it was also to obtain new opportunities that would benefit my family. I continued to study and was able to pass the Switch exam as well as the Tshoot. You might be dealing with a similar scenario. The time to study is rare because there are other important things going on. Don’t let that discourage you. Take advantage of the available time you have. You might have failed an exam once, twice or however many times. Keep studying, keep going! One thing I did not do that I would (and will) is wake up earlier. I love sleep. Especially since the kids wake up early; any opportunity I can take to sleep an extra minute or two, I am taking. However, that can be valuable study time right there.

This year I took Palo Alto’s PCNSA and PCNSE exams. Now there are two kids running around! Thankfully they are slightly older and have set bed times. As soon as they were in bed, I jumped straight to the material. Some people prefer to study in the mornings. Some people prefer to study at night. I am more of a night owl. I usually go to sleep late. I feel more comfortable staying up late, reading and making notes. Some people do not. You have to see what fits your schedule and more importantly, what is comfortable. If it is difficult for you to study at night, don’t do it. Try to find time earlier in the day. As I mentioned before, waking up earlier is a dreadful option, but some people are into it. If you are not able to study comfortably, it will be more difficult to retain the information. I took advantage of the evenings and was able to pass the PCNSA. I followed the same schedules and studied for the PCNSE. This evening thing seemed to work out for me! I passed the PCNSE. One things I did not do is study more than 4 hours each day. My study time during the week was between 2-4 hours. This worked for those particular tests. I had previous experience on Palo Alto, so that also helped. On the weekends I would spend more time studying. If you are studying for something completely new, you will probably have to make more time for the material and labs. Don’t try to jam in all that time into one day, space topics out to several days if needed. The important piece is to make sure you are comfortable and well rested. This will help you mentally capture more information.

Sometimes I compare studying to health. The same medicine that works for one person might not work for the next. Everyone is different. Everyone studies differently, takes notes differently and labs differently. Don’t feel discouraged if your journey is taking a little longer than someone else. If you sit down and look at social media, people are passing tests left and right. It’s great! However, don’t compare your progress to someone else. You are at the right place at the right time. Find the time you can and fill it, even if it means getting up early (ugh!). Always keep in mind why you are studying. What is the endgame? Use that as your motivation. Keep studying and good luck!