Consider the following code:

The above code is not a valid C code.

But the following code is valid:

Before compilation, the macro START, INTEGER, PRINT and END has been replaced by their value, and the code becomes a valid C code. We can check using the following command:

This command will show after expanding all the macros.

Now we will see different types of macros:

1. Object-like macros:

Syntax:

• Macro is always starting with #define
• macro_name is a user-defined name of the macro
• macro_value is the value of the macro. It may be anything, but one line and the macro body ends with that line’s ends. It does not require semicolon (;) at the end. Space is also considered.

If the macro takes more than one line we can do it as follows:

This macro looks like a data object that’s why this type of macro called as an object-like macro.

In Exapmle2.c, MAX is a macro. From the output, we observe that MAX is replaced by its value 200.

2. Function-like macros:

Syntax:

macro_name is a user-defined name of the macro. Pair of parenthesis has to put after the macro_name. No space is allowed between macro_name and parenthesis. We also can pass arguments in this type of macros.

This macro looks like a function call that’s why this type of macro called a function-like macro.

In Example3.c, we have seen that unlike C’s function, the macro replace only the code with arguments without calculating it. So, we can pass different data type using the same macro.

If we put a space between the macro name and parenthesis, it works the same as an object-like macro. Below C Example illustrates this.

In Example4.c, we have seen that the macro add is replaced by (x,y) x+y . Same as an object-like macro.

3. Macro for Token Pasting:
In C language, ## operator is used for token pasting. Using this operator, we can combine two valid tokens into one valid token.
Example:

If we try to token pasting that does not generate a valid token, the C compiler gives an error or warning.

In Example6.c, we have an error message because, after a combination of two tokens, we get an invalid token ’52+’.

4. Macro for Stringizing:
In C language, # operator is used to converting a macro parameter into a string constant. When a # operator precedes with a macro parameter, the parameter converts to a string literal. Stringizing can be used for object-like and function-like macros.
Example:

In Example7.c we have got a string “Hello World” using STRINGIZING macro.

Conclusion:

This article has learned about all types of macro-like Object-like macros, Function-like macros, Macro for Token Pasting, Macro for Stringizing and Macro for Stringizing in C language. Now we can use a macro in our C program without any doubt. ]]> https://linuxhint.com/python-lambda/ Sat, 30 Jan 2021 16:51:13 +0000 https://linuxhint.com/?p=88062

In this article, we will try to learn about Python Lambda.

Definition

Lambda is a function defined without a name. This can take multiple arguments, but only one expression is allowed that is evaluated and returned. Where function objects are required, we can use the lambda function.

Syntax:
lambda arguments: expression

Example 1: The function below is used to calculate the cube of a number.

The above function can be written using lambda, as shown below:

Example 2: The function below is used to calculate the sum of two numbers.

The above function can be written using lambda, as shown below:

Example 3: The example below for lambda takes multiple arguments.

Example 4: This function multiplies the number by 2 and can be written using Lambda function as below:

Example 5: The function takes function as an argument and returns the result.

Example 6: In the example below, lambda is used to sort the values.

Now, go into python3 interpreter.

The lambda function is used in many inbuilt methods. The following are some examples:

1. Map

This function maps each element in sequence using the lambda function.

Syntax:
map(function, seq)

Ex:
nums = [1,2,3,4,5,6]
Here, we will multiply each element in the list by 2.
mul_2 = map(lambda x: x*2, nums)
print(list(mul_2)) # It returns map object and typecasting it as list.

In the above function, each element of thelist is passed to the lambda function and the lambda function will multiply it by 2.

2. Filter

This function filter out all the elements of a list for which the lambda function returns True.

Syntax:
filter(function, seq)

Ex:
nums = [0,1,2,3,4,5,6,7,8,9,10]
odd_nums = filter(lambda x: x % 2, nums)
print(list(odd_nums)) # It returns map object, and typecasting it as list.

3. Reduce

This function returns a single value by applying function func() to the seq.

Syntax:
reduce(func, seq)

Ex:
nums = [0,1,2,3,4,5,6,7,8,9,10]
value = reduce(lambda x,y: x+y, nums)
print(value)

In the above list, it will take the first 2 elements and perform addition. The result of an addition will be added to the third element and so on. Finally, it will return a single value.

Note: This method is not available in the python3+ version.

Conclusion

From this article, we have learned many aspects of the lambda function. Depending on what the program needs, we can use it and make better python coding. This is most commonly used to pass arguments to another function (for example, we have seen above functions map, filter, and reduce).

Definition
In Python, a file is a location on disk used to store information, which some names are associated with it. It is used to store data permanently in a non-volatile (non-volatile means retains data even if power loss) memory (Ex: hard disk).

Syntax
file_pointer = open(filelocation, modes, encoding= encoding_type)
encoding is an optional parameter

Files can be opened in any of the following modes:

• r –> read mode
• w –> write mode
• a –> append mode
• +  ->  append this to the above modes to open the file for reading and write modes Ex: r+

To open a file in binary mode append “b“ to the above modes.

Ex: To open the file a binary file in readmode use “rb“.

How to enter into python interpreter?

Open Linux terminal and type “python” and hit enter so we will see python interpreter. For python3+ version type “python3”,  we are going to see the following info on the terminal. If we want to check the Python version, type “python -v”.

In Python a file, this  operation is performed in the following order:

1. Open a file
2. Read or write or append: When we specify write mode, the file will be opened in write mode if it exists, otherwise, it is going to create the file. This is applicable for append mode also. In read mode, if file exists, it opens in the read mode, otherwise, throws FileNotFoundError exception.
3. Close the file

Open a file

Inbuilt method open() used.

Ex:

Closing a file

Inbuilt method close() used.

Ex:

Safer way to open and close files using exception handling:

Using this method, we are making sure that the file is closed always.

File operations using with

The best way to perform file operation and most commonly used method with statement. Using this ensures that the file is closed when the block inside with is exited.

Ex:

When we exit with block, the file will be closed automatically.

Write to File

To write into a file, we need to open it in write ‘w’ or append ‘a’.

To write to a file, python has the following inbuilt methods:

write(): This method writes the string to a file.

Ex:

If we open the textfile.txt file, we see the above lines are written successfully.

writelines() : This method writes the list of strings to a file.

Ex:

Reading from file

To read a file in Python, we must open the file in reading mode ‘r’.

To read from a file, python has the following inbuilt methods:

read():   

read(4): This method reads the first 4 characters from the file.

Ex:

read() : This method reads till end of file.

Ex:

readline(): This method reads one line at a time.

Ex:

readlines(): This method read all lines in the file and returns a list.

Ex:

for loop: This is the most commonly used way of reading a file. We can read a file line by line using a forloop. This is an efficient and fast way of reading a file.

Ex:

Traverse in a file

The following methods are used to traverse in a file.

tell(): This method is used to get the current file position in a file.

Ex:

seek(): This method used to bring/place file cursor to a given position in a file.

Ex:

truncate(): This method is used to modify/resize the file to a specified size in a file.

Ex:

flush() : This method flush/clear a buffer.

Ex:

Conclusion

In Python, a file is a location on a disk that is used to store information. File handling in Python is simple and easy. Also, in Python, different modules are available for handling different typess of files.

Ex:

In this article, we will make Linux set up and capture HTTPS (Hypertext Transfer Protocol Secure) packets in Wireshark. Then we will try to decode the SSL (Secure Socket Layer) encryptions.

Note that: Decryption of SSL /TLS may not work properly through Wireshark. This is just a trial to see what is possible and what is not possible.

What are SSL, HTTPS, and TLS?

Actually, all these three technical terms are interrelated. When we use only HTTP (Hypertext Transfer Protocol), then no transport layer security is used and we can easily see the content of any packet. But when HTTPS is used then we can see TLS (Transport Layer Security) is used to encrypt the data.

Simply we can say.

HTTP + (over) TLS/SSL = HTTPS

Note: HTTP sends data over port 80 but HTTPS uses port 443.

Screenshot for HTTP Data:

Screenshot for HTTPS Data:

Make Linux set up for SSL packet description

Step 1
Add below environment variable inside the .bashrc file. Open the .bashrc file and add the below line at end of the file. Save and close the file.

Now execute the below command to get the effect of it.

Now try the below command to get the value of “SSLKEYLOGFILE”

Here is the screenshot for all the above steps

Step 2
The above log file is not present in Linux. Create the above log file in Linux. Use the below command to create a log file.

Step 3
Launch default installed Firefox and open any https site like Linuxhint or Upwork.

Here I have taken the first example as upwork.com.

After the upwork website is opened in Firefox, check the content of that log file.

Command:

If this file is empty then Firefox is not using this log file. Close Firefox.

Follow the below commands to install Firefox.

Commands:

Now, launch Firefox and check the content of that logfile

Command:

Now we can see huge information like the below screenshot. We are good to go.

Step 4
Now we need to add this log file inside Wireshark. Follow below path:

Wireshark->Edit->Preferences->Protocol->SSL->”Here provide your master secret log file path”.

Follow the below screenshots for visual understanding.

After doing all these settings, do OK and start Wireshark on the required interfaces.

Now the set up is ready to verify SSL decryption.

Wireshark Analysis

After Wireshark starts capturing, put filter as “ssl” so that only SSL packets are filtered in Wireshark.

Look at the below screenshot, here we can see HTTP2 (HTTPS) is opened for some packets which were SSL/TLS encryption before.

Now we can see the “Decrypted SSL” tab in Wireshark and HTTP2 protocols are opened visible. See the below screenshot for pointers.

Let’s see the differences between “Before SSL log file enabled” and “After SSL log file enabled” for https://linuxhint.com

Here is the screenshot for packets of Linuxhint when “SSL log was not enabled”

Here is the screenshot for packets of Linuxhint when “SSL log was enabled”

We can see the differences easily. In the second screenshot, we can clearly see the URL that was requested by the user.

https://linuxhint.com/bash_scripting_tutorial_beginners/\r\n

Now we can try other websites and observe if these methods work or not.

Conclusion

The above steps show how to make Linux set up to decrypt SSL/TLS encryption. We can see it worked well but some packets are still SSL/TLS encrypted. As I mentioned earlier it may not work for all packets or completely. Still, it’s good learning about SSL/TLS decryption.

Definition: Decorator is a design pattern in Python. It is a function that takes another function as an argument, add some functionality to it without modifying it, and returns another function.

This is called using “(@)” and placed before defining a function that we want to decorate.

syntax:

@decorator name
Function definition

For understanding decorators, we need to know the below concepts.
Functions are first-class objects. It means a function can be passed as an argument, can be returned from another function, can be assigned to a variable, can be defined in another function. For a better understanding, see the below examples.

1. A function can be passed as an argument
   Ex:
   def increment(n):
     return n + 1
   
   def demo_funcall (function):
     num = 5
     return function(num)
   
   demo_funcall (increment)

   Here increment function passed as an argument

   example1.py:
   

   Output:

   >> python example1.py
   

2. Function can be returned from another function
   Ex:
   def wish():
       def say_wish():
         return "Happy Birthday"
       return say_wish
   
   hello = wish()
   hello()

   example2.py:
   

   Output:

   >>python example2.py
   
   Here say_wish function returned from the wish function

3. Function can be modified and assigned to a variable
   Ex:
   def add(a,b):
          return a +b
   
   sum2nos = add # Here function add assigned to variable
   sum2nos(5,11)

   example3.py:
   

   Output:
   >> python example3.py
   

4. Define function inside another function
   Ex:
   def add(a,b):
           def sum2(a,b):
               return a + b
           res = sum2(a,b)
           return res
   add(10,15)

   example4.py:
   

   Output:
   >> python example4.py
   

Closure:

Python allows a nested function to access the outer scope of the enclosing function.

example5.py:

Output:

>> python example5.py

After understanding the above concepts now, we will write a decorator example.

Ex1: Here, we will decorate the message function. Printing the msg inside **** without modifying the original function, i.e., message function.

example6.py:

Output:

>> python example6.py

In the simplest form, we can place decorator on top of the function definition and call the function as shown below:

Here whatever string we want to decorate inside ***, use this decorator.

Output:

Multiple decorator:

We can have multiple decorator for a single function. Here the decorator is applied in the order we called.
syntax:
@decorator2
@decorator1
Function definition

Here 1st decorator will be applied, then 2nd decorator.

Passing arguments to decorator functions:

We can pass arguments to the wrapper function. The arguments passed to the function for which we want to decorate.

Ex:

example7.py:

Output:

>> python example7.py

Pass variable number of arguments to decorator function:

We can pass any number of arguments using *args (Non-keyword arguments like numbers) and **kwargs (keyword arguments like a dictionary). Both are positional arguments and stores the arguments in args and kwargs variables.

Note: Here, we can use any name instead of args and kwargs, but these names are recommended to use.

Ex:

example8.py:

Output:

>> python example8.py

Ex2: Suppose we have 2 function
Function1: Calculate the sum of numbers from the given list
Function2: Multiply each number by 2 and add them to the given list of numbers
If we want to calculate the time taken by each for execution, can do it in 2 ways

1. Place code in between the start and end time in each function
2. Write decorator for calculating time

See below code solved using decorator:

example9.py:

Output:

>> python example9.py

The above decorator can be used for calculating execution time for any of the functions. By using a decorator, we can avoid repeated code when we have a requirement for calculating the execution time to place the decorator above the function definition.

Conclusion:

Decorators change the functionality of a function/method without changing the original code of the function is being decorated. Using this, we can avoid writing repeated code. Knowing the decorator concept will make us strong in python. We can use decorator in the below cases:

• Authorization in Python frameworks Ex: Flask and Django
• Logging
• Measure execution time

Let’s see the following example:

These 3 1D arrays can be represented as a 2D array as follows:

Let’s see another example:

These 3 1D arrays cannot be representing as a 2D array because the sizes of the arrays are different.

Declaration of 2D array

data-type array-name[ROW][COL]

• Data-type is the data type of the array elements.
• Array-name is the name of the array.
• Two subscripts represent the number of rows and columns of the array. The total number of elements of the array will be ROW*COL.

int a[2][3];

Using the above C code, we can declare an integer array, a of size 2*3 (2 Rows and 3 Columns).

char b[3][2];

Using the above C code, we can declare a character array, b of size 2*3 (3 Rows and 2 Columns).

Initialization of 2D array

We can initialize during declaration in following ways:

1. int a[3][2] = {1,2,3,4,5,6};
2. int a[][2] = {1,2,3,4,5,6};
3. int a[3][2] = {{1, 2},{3, 4},{5, 6}};
4. int a[][2] = {{1, 2},{3, 4},{5, 6}};

Note that in 2 and 4 we have not mentioned the 1^st subscript. The C compiler automatically calculates number of rows from the number of elements. But the 2^nd subscript must be specified. Following initializations are invalid:

1. int a[3][] = {1,2,3,4,5,6};
2. int a[][] = {1,2,3,4,5,6};

In Example1.c, we have declared an integer array of size 3*2 and initialized. To access array elements, we use two for loop.

To access row-wise, the outer loop is for rows, and the inner loop is for columns.

To access column-wise, the outer loop is for columns, and the inner loop is for rows.

Note that when we declare a 2D array, we use a[2][3], which means 2 rows and 3 columns. Array indexing starts from 0. To access the 2^nd row and 3^rd column, we have to use the notation a[1][2].

Memory mapping of a 2D array

The logical view of an array a[3][2] may be as follows:

Computer memory is a 1D sequence of bytes. In C language, a 2D array store in the memory in row-major order. Some other programming languages (e.g., FORTRAN), it stores in column-major order in the memory.

Pointer Arithmetic of a 2D array

To understand the pointer arithmetic of the 2D array, first, have a look at the 1D array.

Consider a 1D array:

In 1D array, a is a constant, and its value is the address of the 0^th location of the array a[5]. Value of a+1 is the address of the 1^st location of the array a[5].  a+i is the address of the i^th location of the array.

If we increment a by 1, it is incremented by the size of the data type.

a[1] is equivalent to *(a+1)

a[2] is equivalent to *(a+2)

a[i] is equivalent to *(a+i)

In Example2.c, the memory address is showing in hexadecimal. The difference between a and a+1 is 4, which is the size of an integer in bytes.

Now, consider a 2D array:

b is a pointer of type: int[ ][4] or int(*)[4]

int[ ][4] is a row of 4 integer. If we increment b by 1, it is incremented by the size of the row.

b is the address of the 0^th row.

b+1 is the address of the 1^st row.

b+i is the address of i^th row.

The size of a row is: ( Number of column * sizeof(data-type)) bytes

Size of a row of an integer array b[3][4] is: 4 * sizeof(int) = 4 * 4 = 16 bytes

A row of a 2D array may be viewed as a 1D array. b is the address of the 0^th row. So, we get the following

• *b+1 is the address of the 1^st element of the 0^th
• *b+j is the address of the j^th element of the 0^th
• *(b+i) is the address of the 0^th element of the i^th
• *(b+i)+j is the address of the j^th element of the i^th
• b[0][0] is equivalent to **b
• b[0][1] is equivalent to *(*b+1)
• b[1][0] is equivalent to *(*(b+1))
• b[1][1] is equivalent to *(*(b+1)+1)
• b[i][j] is equivalent to *(*(b+i)+j)

Address of b[i][j]: b + sizeof(data-type) * ( Number of column * i + j)

Consider a 2D array: int b[3][4]

Address of b[2][1] is : b + sizeof(int) * (4*2 + 1)

In Example3.c, we have seen that size of a row is 16 in decimal notation. The difference between b+1 and b is 10 in hexadecimal. 10 in hexadecimal is equivalent to 16 in decimal.

Conclusion

So, in this article, we have learned about

1. Declaration of 2D array
2. Initialization of 2D array
3. Memory mapping of 2D array
4. Pointer Arithmetic of 2D array

Now we can use 2D array in our C program without any doubt,

References

Credit for some ideas in this work were inspired by the course, Pointers and 2-D Arrays, by Palash Dey Department of Computer Science & Engg. Indian Institute of Technology Kharagpur

No Interfaces are listed in Wireshark:

Let’s see this issue and try to solve it.

Step1:

First of all, we need to see how many interfaces are there in our Linux PC.

We can use the command “ifconfig” to see a list of up interfaces in our Linux pc. So open terminal (Short cut Alt+Ctrl+t) and run command “ifconfig”

Outputs:

It should list down all up interfaces. Here is the screenshot for the “ifconfig” output

Here we can see three interfaces, including loopback interface “lo”.

If we want to see all interfaces in our system, including down interfaces, then use the command “ifconfig -a”

Step2:

Now launch Wireshark from the command line.

Screenshot:

Output:

Now we do not see the interfaces that we have seen from the previous output of the “ifconfig” command. On the right side, we can see “All interfaces shown” is selected.

Then what is the issue? Why Wireshark not able to detect required interfaces?

Let’s see.

Step3:

Close Wireshark and come back to the terminal. Here we can see the user is a normal user [Example: “rian”], but we need to launch Wireshark in superuser mode; otherwise, Wireshark is allowed to access the system interface list. Let’s try it out.

Output:

Now we can see the prompt as “root@”. This means we are in root. Let’s try to launch Wireshark again from the terminal.

Output:

All interfaces are listed down here on the Wireshark home page. Required interfaces are marked with a blue circle. These are the same interfaces that we have seen in the “ifconfig” command output.

In Linux, running Wireshark in sudo or superuser mode solves the problem.

We have seen in superuse mode. Let’s try if doing “sudo” works or not.

Command sequences:

1. Close Wireshark and enter “exit” to come out from the root.

2. Type the command “sudo wireshark” and enter the password for user “rian”. No need of a root password.

Here is the screenshot for the above steps 1 and 2.

Here is the home screen of Wireshark

All interfaces are listed down here.

Capturing Test:

Note: “enp1s0” is an Ethernet interface, and “wlp2s0” is a Wi-Fi interface.

As we see, interfaces are listed down, so let’s try to capture in one interface to see if it’s working or not.

See the below screenshot and double-click on the first interface.

As soon as we double click on the “enp1s0” interface, it starts capturing. Here is the screenshot for live capturing on interface “enp1s0”

We can try on capturing other interfaces also to see if it’s working.

Now double click on “wlp2s0” to start capturing. Here is the screenshot for live capturing.

Conclusion

In this article, we have learned how to solve the problem when Wireshark cannot detect or list down all interfaces from the Linux system. And there are two ways we can resolve this; either launch Wireshark in superuser mode or using sudo.

Syntax:

We need to take special care when we declare tuple with single element.

If we omit comma (,) here, it will be a normal integer variable.

In the first example, the type is tuple.

In the second example, the type is integer.

Other way of declaring a tuple:

How to enter into Python interpreter?

Open Linux terminal and type “python”, then hit enter so we will see python interpreter. For python3+ version, type “python3”, these are the following info we are going to see on the terminal. If we want to check python version, type “python -v”.

Output:

The following operations can be performed on tuple:

Tuple Slice

This is useful when we want only part of the tuple.

Note: Tuple index always starts from 0. Tuple can be traversed in forward and reverse direction (using negative index).

Example:

Syntax:

Here, stop is excluded. If we provide only start, it will extract all the elements from start to end of tuple. If we provide only stop, it will extract from 0th index to stop index. We can omit both start and stop, in that case, we need to provide at least colon (t[:]). If we don’t provide step value default, the value will be 1.

Ex:

In this example, we would want to extract elements “1,2,3,4”.

Suppose we want to extract elements “3,4,5,’i’,’hi’,10.5”

Suppose we want to extract elements “2,3,4,5,’I’,’hi’ ” (using reverse index)

Suppose we want to reverse a tuple

Nested Tuples

We can declare tuple in a tuple, i.e., nested tuples.

Consider nested tuple as another tuple and its index also starts from 0.

We can access nested tuples elements as below:

1. Find nested tuple index in main tuple
2. Find nested tuple index

Ex:

In the example below, we want extract “3” from nested tuple. Here, the main tuple index is “t[2]”, and nested tuple “(3,4,5)” index is “0”. So, the final expression is “t[2][0]”.

In the second example, we extracted “b” from nested tuple using expression “t[5][1]”.

Length

This method returns number of elements in tuple.

Syntax:

Access tuple by element using loop

Syntax:

For variable in tuple variable:

Repetition

This is useful when we want to repeat the tuple for given number.

Syntax:

Example:

Here, the tuple is repeated 2 times, as shown below.

Concatenation

This concatenates or combines 2 tuples.

Syntax:

Search element in a tuple

This return “True” if element found in tuple else return “False”.

Syntax:

Index

This method is used to find the index of element in tuple. If found returns “index of the element” else value error exception is raised.

Syntax:

Count

This method is used to count occurrence of element in tuple.

Syntax:

Delete tuple

We can’t remove individual elements from tuples since it is immutable. But we can delete entire tuple.

Syntax:

In the above example, we declared tuple t and printed t. After that, we deleted a tuple using “del t” and tried to print tuple. It throws nameerror exception because “tuple t” doesn’t exist.

Minimum

This method is used to find minimum value of element in a tuple.

Syntax:

Maximum

This method is used to find minimum value of element in a tuple.

Syntax:

Compare 2 tuples

This method is used to compare elements of 2 tuples.

1. Return 0 if elements of both tuples are equal
2. Return 1 if elements of the first tuple are greater than the second tuple
3. Return -1 if elements of the first tuple are less than the second tuple

Syntax:

If elements types are mismatched, then element is converted to int type.

Tuples are compared index by index. The 1^st element of the 1^st tuple is compared to the 1^st element of the 2^nd tuple. If they are not equal, this is the result of the comparison, else the 2^nd element is considered, then the 3^rd element, and so on.

Conclusion

Tuple is immutable data type, and any operation we perform should be stored in another tuple variable. It is faster compared to the other data types (ex: list, dictionary). Since tuple is immutable in our program, the data is not going to change the entire software life cycle, we can use tuple like system configuration data.

The above is most commonly and generally used operation on tuple. If we want to check what all the operations are supported for tuple, type dir(tuple) on interpreter and hit enter. It will display all methods/function. If we want to check documentation for tuple method/function, type help(tuple) and hit enter. ]]> https://linuxhint.com/change-time-format-wireshark/ Sun, 15 Nov 2020 08:13:46 +0000 https://linuxhint.com/?p=76761 Wireshark is a popular network capturing and analysis tool. There are many options for doing better and quick analysis. One of them is using the time format in Wireshark. Let’s understand for this article how to use the time format in Wireshark.

Where is time in Wireshark capture?

Let’s open one saved capture to understand the time option in Wireshark. Now we can see below screenshot that the second column is a time-related column.

Where is “Time Display Format” in Wireshark capture?

Now we can check what the “Time Display Format” in Wireshark is.
Go to View->Time Display Format. Here is the output

Meaning of each option:

To understand this, we will select one option and see the effect on Wireshark capture. Let’s label each option one number for easy understanding.

As we see, there are two sections

The First 1 to 10 options are for time display format, and the next 1 to 7 options are for the time unit.

Let’s keep next option 1 (See below screenshot)

constant and make changes for the first 1-10 options.

Option 1:

Now we will see the date and time for each packet of Wireshark. Here is the output screen

Option 2:

Now we will see the year, day of the year, and time of the day. Here is the output screen

Option 3:

After selecting this option, we can see only the Time of the Day. No year is shown.

See the below screenshot.

Option 4:

This option enables time in second in Epoch Time style. Here is the screenshot.

Option 5:

After selecting this option, we will see the first packet of captured time is set to 0.00 second, and after how many seconds the next packet was captured. So we will see the time will be increasing.

See the below screenshot.

Option 6:

This shows the time for each packet with reference to the previous capture packet. So we will see time as “Time delta from previously captured frame” second for the current packet.

See the below screenshot.

Option 7:

This option shows the time as “Time delta from previously displayed frame” second for the current packet. Actually, “option 6” and “option 7” are the same for maximum times. That’s why we do not see any differences.

See the below screenshot.

Option 8:

This shows the time as UTC [Coordinated Universal Time] Date and Time of the day. This option is almost the same as “option 1,” but the Time of day is different.

See the below screenshot.

Option 9:

Now we will see UTC year, day of the year, and time of the day.

Here is the output screen

Option 10:

After selecting this option, we can see only UTC Time of Day. No year is shown here.

We are done with the first set of options. Now, let’s see how the time unit affects the Wireshark packet time.

Keep below time format constant

Option 1:

This gives the default Date and Time from capture.

See the below screenshot.

Option 2:

Now see the difference between option1 and this option. We can see time is shown till the second.

Check the below screenshot.

Option 3:

This option shows “Tenth of Second” for time.

Check the below screenshot.

Option 4:

This option shows “Hundredths of Second” for time.

Check the below screenshot.

Option 5:

This shows the millisecond part after second. Look at the below screenshot.

Option 6:

Now we can see a microsecond part of the time. See the below screenshot.

Option 7:

This option enables a microsecond part of the time. See the below screenshot.

Check Box

As our current Time Format is already having Hours and Minutes, so it does not affect.
So, we can play a combination of all these options.

Try one random combination:

Let’s see the effect of the below combination

Output [Look at Day Time column]:

Conclusion:

Now we know the time formats and units, we may think, what is the use of all these different options? This help does Wireshark capture analysis. We may need a different time scale to see many factors from Wireshark captures. So, it’s all about quick and better Wireshark capture analysis.

In C, the memset() function is used to set a one-byte value to a memory block byte by byte. This function is useful for initialization of a memory block byte by byte by a particular value. In this article, we will see in detail how this function can be used. So, let’s get started.

Header File:

Syntax:

This function sets the first n bytes of the memory block pointed by str by ch.

Arguments:

The function takes 3 arguments:

1. str: This is the pointer of the memory location where the memory will be set. This is a void pointer, so we can set any type of memory block, but the memory will be set byte by byte.
2. ch: This is the value that is to be copied to the memory block. This is an integer value, but it is converted to an unsigned character before copied.
3. n: This is the number of bytes in the memory block which is set.

Return values:

memset() returns the first address of the memory block from where it starts to set the value.

Examples:

In Example1.c, we have declared one character array of size 30. Then we have initialized it with the string “ABCD EFGH.” In the memset function, we have passed 3 arguments str, ‘x’ and 3. So, the memory block pointed by str will be reset the first 3 characters by ‘x.’ After memset, when we print the memory, we will get “xxxD EFGH.”

In Example2.c, we have passed str+4 to memset function. So, it reset the memory after the 4th location of str.  After memset, when we print the memory, we will get “ABCDxxxGH.”

In Example3.c, we have declared an integer array of size 5 and trying to initialize it by 10. But from the output, we have seen that the array is not initialized by 10; instead, we have got the value “168430090”. This is because the integer value is greater than one byte and the memset function converts the value to an unsigned character before copied. Now, we will see how we will get the value “168430090”.

The binary representation of 10 is 00000000 00000000 00000000 00001010.

When integer converted to unsigned char, the lower 1 byte is considered. So, when 10 is converted to unsigned char, it’s a binary representation is 00001010.

memset() function sets the memory location byte by byte. So, a total of 4 bytes will be: 00001010 00001010 00001010 00001010.

The decimal value of the binary representation of 4 bytes is 168430090.

In Example4.c, we have initialized the integer array by 0. All bits of the binary representation of 0 is 0. So the array is initialized by 0.

In Example5.c, we have initialized the integer array by 0. All bits of the binary representation of -1 is 1. So the array is initialized by -1.

Conclusion:

In this article, we have seen using the memset function how we can initialize or set the value of a memory block efficiently. We can set any character and 0 or -1 as an integer value to a memory block. Memset function is faster to set a large chunk of contiguous memory in comparison with simply setting the location using a loop.

In this article, we are going to discuss operations on strings. As we know in python, a string is an immutable data type (read-only). This can be declared in single quotes (s=’ ’) or double quotes (s=” ”), or triple quotes (s=’’’ ’’’ or s=””” “””)

How to enter into the python interpreter

Open Linux terminal and type python and hit enter so we will see python interpreter. For python3+ version, type python3. The following info we are going to see on the terminal. If we want to check the python version, the command is “python -v.”

Output:

The following operations can be performed on the string

String Slice

This is useful when we want only part of the string.

Note: string index always starts from 0. A string can be traversed in forward and as well as reverse direction (using the negative index).

Ex: s =”Good morning”

syntax: variablename[start:stop:step].

Here stop is excluded. If we provide only a start, it will extract all the characters from start to end. If we provide only a stop, it will extract from the 0th index to stop. We can omit both starts and stop; in that case, we need to provide at least colon (s[:]). If we don’t provide a Step value, the default value is 1.

Ex: s1 = ”Good morning”.

In this example, we want to extract “good”.

Suppose we want to extract “ood mor”

Suppose we want to extract “ning”(using the reverse index)

Suppose we want to reverse a string

Length

This method returns the number of characters in the string.

syntax: len(string)

Concatenation

This concatenates or combines two strings.

syntax: s3 = s1 + s2

Uppercase

This method converts all the characters in the string to upper case.

syntax: string.upper()

Lowercase

This method converts all the characters in the string to lower case.

syntax: string.lower()

Strip

This method strip/delete the value from the string provided as a parameter. The default parameter is space.

There 3 types of strips:

1. lstrip() : This strips only the left side of the string.
2. rstrip() : This strips only the right side of the string.
3. strip() : This strips entire string.

Search substring in a string

This return “True” if substring found in string else returns False. The membership operators “in” and “not in” is used to check this.

syntax: substring in a string

Startswith

This method is used to check if a string starts with a substring. It returns True if the string starts with substring else return False.

syntax: s.starsiwth(substring)

Endswith

This method is used to check if a string ends with a substring. It returns “True” if the string ends with substring else return False

syntax: s.endsiwth(substring)

Index

This method is used to find the index of the substring in a string. If found, returns start character index of substring else value error exception is raised.

syntax: string.index(substing, beg=0,end=len(string))

Find

This method is used to find the index of a substring in a string. If found, returns start character index of substring else -1 value returned.

syntax: string.find(substing, beg=0,end=len(string))

Count

This method is used to count the occurrence of a substring in a string.

syntax: string.count(substring)

Swap case

This method swap/interchange the case of a string.

syntax: string. Swapcase()

Capitalize

This method capitalizes the first letter of string

syntax: string.capitalize()

Find minimum/maximum alphabetical character in the string

syntax: min(string), max(string)

Replace

This method replaces the occurrence of a substring with another string. If max provided that many times it will replace

syntax:  string. replace (old substring, newstring, max)

Split

This method Split the string based on the parameter provided. It returns a list of words if a split parameter found other returns string as a list.

In 1st example, the split character is space, and it is found in a string. It returns a list of words

In 2nd example, the split character is _, and it did not found in the string. It returns the same string as the list.

Check string contain alphanumeric characters

This method returns “True” if all characters in a string are alphanumeric; otherwise, False

syntax: string.isalnum()

Check string contains alphabetic characters

This method returns “True” if all characters in a string are alphabetic; otherwise, False

syntax: string.isalpha()

Check string contains only digits

This method returns “True” if all characters in a string are digits; otherwise, False

syntax: string.isdigit()

Check string contain all lowercase characters

This method returns “True” if all characters in a string are lowercase; otherwise, False

syntax: string.islower()

Check string contain all uppercase characters

This method returns “True” if all characters in a string are uppercase; otherwise, False

syntax: string.isupper()

Check string contains only space

This method returns “True” if all characters in a string are spaces; otherwise, False

syntax: string.isspace()

Join

This method takes all items in a sequence (list, tuple, dict) and joins as a single string based on parameter. All items should be a string.

syntax: parameter.join(sequence)

Here the sequence is a list, and all items are joined using space and # parameter.

Conclusion

The string is an immutable datatype, and any operation we perform should be stored in another string variable. The above are the most common and generally used operation on string.

If we want to check what are all operations are supported for string type dir(str) on an interpreter and hit enter. It will display all methods/functions if we want to check the documentation for string method/function type help(str) and hit enter.

In this article, you will learn how to search for strings in packets using Wireshark. There are multiple options associated with string searches. Before going further in this article, you should have a general knowledge of Wireshark Basic.

Assumptions

A Wireshark capture be in one state; either saved/stopped or live. We can perform string search in live capture also but for better and clear understanding we will use saved capture to do this.

Step 1: Open Saved Capture

First, open a saved capture in Wireshark. It will look like this:

Step 2: Open Search Option

Now, we need a search option. There two ways to open that option:

1. Use the keyboard shortcut “Ctrl+F”
2. Click “Find a packet” either from the outside icon or go to “Edit->Find Packet”

Check out the screenshots to view the second option.

Whichever option you use, the final Wireshark window will look like the screenshot below:

Step 3: Label Options

We can see multiple options (dropdowns, checkbox) inside the search window. You can label these options with numbers for easy understanding. Follow the screenshot below for numbering:

Label1
There are three sections in the dropdown.

1. Packet list
2. Packet details
3. Packet bytes

From the below screenshot, you can see where these three sections in Wireshark are located:

Selecting section a/b/c means that the string will be done in that section only.

Label2
We will keep this option as the default, as it is the best for common searching. It is recommended to keep this option as the default unless it is required to change it.

Label3
By default, this option is unchecked. If “Case sensitive” is checked, then the string search will only find exact matches of the searched string. For example, if you search for “Linuxhint” and Label3 is checked, then this will not search for “LINUXHINT” in Wireshark capture.

It is recommended to keep this option unchecked unless it is required to change it.

Label4
This label has different types of searches, such as “Display filter,” “Hex value,” “String,” and “Regular Expression.” For the purposes of this article, we will select “String” from this dropdown menu.

Label5
Here, we need to enter the search string. This is the input for the search.

Label6
After the Label5 input is given, click the “Find” button to trigger the search.

Label7
If you click “Cancel,” then the search windows will close, and you need to return to follow Step 2 to get this search window back.

Step 4: Examples

Now that you understood the options for searching, let us try out some examples. Note that we have disabled the coloring rule to see the search packet we selected more clearly.

Try1 [Options combination used: “Packet List” + “Narrow & Wide” + “Unchecked Case Sensitive”+ String]

Search String: “Len=10”

Now, click “Find.” Below is the screenshot for the first click on “Find:”

As we have selected “Packet list,” the search was performed inside the packet list.

Next, we will click the “Find” button again to see the next match. This can be seen in the screenshot below. We did not mark any sections to allow you to understand how this search happens.

With the same combination, let us search the string: “Linuxhint” [To check not found scenario].

In this case, you can see the yellow-colored message at the left-bottom side of Wireshark, and no packet is selected.

Try2 [Options combination used: “Packet details” + “Narrow & Wide” + “Unchecked Case Sensitive”+ String]

Search String: “Sequence number”

Now, we will click “Find.” Below is the screenshot for the first click on “Find:”

Here, the string found inside “packet details” was selected.

We will check the “Case sensitive” option and use the search string as a “Sequence Number,” keeping the other combinations as is. This time, the string will match the exact “Sequence Number.”

Try3 [Options combination used: “Packet bytes” + “Narrow & Wide” + “Unchecked Case Sensitive”+ String]

Search String: “Sequence number”

Now, click “Find.” Below is the screenshot for the first click on “Find:”

As expected, the string search is happening inside the packet bytes.

Conclusion

Performing a string search is a very useful method that can be used to find a required string inside of a Wireshark packet list, packet details, or packet bytes. Good searching makes analysis of large Wireshark capture files easy.

In this article, you will learn how to capture wireless frames using Wireshark in Linux (Example: Ubuntu. To follow this article, first, you should learn the basics of WireShark in the Wireshark Basic article, and then you can come back here.

There are some steps to be followed to achieve this.

Setup Check

Below are the requirements for capturing Wi-Fi packets using Wireshark.

Wi-Fi Interface

To check whether you meet this requirement, open the terminal using the shortcut Alt+Ctrl+T and run the command “iwconfig.” This output should show if there is an operable Wi-Fi interface. The following screenshot shows the output of this command:

In this example “wlp2s0” is the interface name for the Wi-Fi card.

• “IEEE 802.11” is the indication for the Wi-Fi interface.
• By default, the mode is “Managed,” which means that it is a client or station mode.

Support for Monitor Mode

The Wi-Fi card must support monitor mode to be able to sniff out wireless packets. This is a must, or you cannot sniff wireless packets using Wireshark. Open the terminal and run the command “iw phy0 info” or “iw list.” There is a huge list of information available here, but we just have to check the section for “monitor.” If the device does not support monitor mode, then it will not be possible to sniff the wireless packet using Wireshark.

Check Wireshark Software

Open the terminal and run the command “wireshark –version.” If Wireshark is installed, then there should be a version name with many details, as in the following screenshot:

If it is not installed, then use the commands “apt-get update” and “apt-get install wireshark” to install Wireshark on your system.

Configuring Monitor Mode

In previous sections, you saw that the Wi-Fi interface default mode is “managed.” To capture a wireless packet, we need to convert the “managed” mode to “monitor” mode. There are different commands that you can use, but to use a simple method first, we will try using the “iwconfig” command to create monitor mode.

Let us assume that the name of the Wi-Fi interface is “wlp2s0,” as shown in the screenshot.

Step 1: Enter Superuser Mode

First, enter into superuser mode; otherwise, we will get permission to do this.

Command: “su”

Step 2: Create Monitor Mode

Command: “iwconfig wlps20 mode monitor”

Output: If the interface is up and active, you will get the “Device or resource busy” error.

So, make interface down using the following command.

Command: “ifconfig wlsp2s0 down”

Then, execute the first command again.

Finally, check whether the interface is in monitor mode using the “iwocnfig” command.

Here is the screenshot to explain all the above steps:

Step 3: Configure Wi-Fi Sniffing Channel

In wireless protocol, there are two radio frequency bands:

1. 5GHz [Frequency range is 5180MHz – 5825MHz]
2. 2.4GHz [Frequency range is 2412MHz – 2484MHz]

Wiki link for WLAN channels list: https://en.wikipedia.org/wiki/List_of_WLAN_channels

If your wireless card supports 1 and 2, that means that the Wi-Fi card can sniff both bandwidth configured channels. Let us see what our card supports.

Using the command “iw list,” we can check this capability. We are looking for the section below in the command output screenshot:

As yu can see in the above list, this Wi-Fi chip supports only 2.4Ghz [Check the frequency range].

Each frequency is known as channel number. For example, 2412MHz is considered channel 1 [Shown in [] ].

Now, we need to configure one channel for our monitor mode interface. Let us try to set channel 11 [frequency is 2462MHz].

Command: “iwconfig wlp2s0 channel 11”

If above command outputs an error, this makes the interface up [“ifconfig wlp2s0 up”] and then executes the “iwconfig wlp2s0 channel 11” command. Finally, execute the “iwconfig” command to ensure that the channel is set up properly.

The following screenshot explains the steps given above:

Step 4: Launch Wireshark and Start Capturing

Now, we are all set to capture wireless packets. You can start Wireshark in the background using the following command:

In the startup window of Wireshark, you should see the following screen. Here, you can see a list of interfaces.

Next, choose your monitor mode interface, which is “wlp2s0.” Select this interface and then double-click on it.

You can see that live capturing is currently going on.

The following include some hints about wireless packets:

You should see the protocol section, which generally shows 802.11, which is wireless IEEE standard.

You should also see the “Beacon,” “Probe Request,” and “Probe Response” frames under the info section of any frame.

If you wish to save the capture and check it later, then select “save” or “save as” and save it for later analysis.

As long as the interface is in monitor mode you can capture wireless packet. Remember if you reboot the system the wireless interface will come up as “Managed” mod again.

Conclusion

In this article, you learned how to capture wireless packets using Wireshark in Linux. This is very easy to do in Linux using the built-in Wi-Fi card without installing any extra third-party software. You can make a shell script containing all these commands and run that single shell script to configure your system’s Wi-Fi card as monitor mode, set the preferred channel, and start using Wireshark.

static {data type} {variable name}

Static local variables

When a variable in a function is static, the variable preserves its value between function calls.

In Example 1.c, we have two functions: fun1() and fun2(). In fun1(), we declare one variable (count) and initialize it to 0. Then, we increment the count variable and return the resulting value. Using main(), we call fun1() twice, and each time, a value of 1 is returned because the count variable is cleared when the call to fun1() is completed. In fun2() we declared the count variable as a static variable. Therefore, its value is preserved. Using main(), we call fun2() twice: the first time, a value of 1 is returned, and the second time, a value of 2 is returned.

Static global variables

A static global variable behaves in the same way as other global variables, but it cannot be accessed from another C program.

Static functions

In C, functions are global by default. However, if we declare a static function, then the function is local and cannot be accessed from another C program.

Initialization of static variables

If a static variable is not explicitly initialized, then it is initialized as 0.

In Example2.c, we declared a static variable i that is not initialized. However, because the variable is static, it is automatically initialized to 0.

It is important to note that a static variable must be initialized by a constant literal; we cannot use a function’s return value to initialize a static variable.

In Example3.c, we try to initialize a static variable by using the return value of fun1(). However, as you can see, an error is returned when the code is compiled.

Summary

The lifetime of a static variable and the lifetime of the program are equal.

If a static variable is not initialized, then it will take on a default value of 0.

Neither a global static variable nor a static function is accessible from a program other than the one in which it was defined.

Header File:

stdlib.h

Syntax:

int rand (void)

Return values:

This function returns the next pseudo-random number in the series. The range value of the number series is between 0 and RAND_MAX. RAND_MAX is a macro defined in stdlib.h header file, whose value is the maximum value, which can return by rand() function. The value of RAND_MAX is greater but not less than 32767 depending on the C libraries.

In Example1.c, we call the rand() function in each iteration of for loop and print the return value of the function. The value sequence of the rand() function is the same each time we run the program. By default, the seed of the rand function is set to 1.

We can set the seed for the rand function using the srand() function. The seed can be set only once, and before the first time rand() function call.

srand() function:

Header File:

stdlib.h

Syntax:

int srand (unsigned int seed)

Arguments:

This function takes 1 argument

seed: An integer value used as a seed for a new series of pseudo-random numbers.

Return values:

None

In Example2.c, we have used the srand() function to set the initial seed of the random number sequence generated by rand() function. Each time the program is run, a different sequence is generated. In srand(), time(0) function (declared in time.h header file) is used as a seed. This time(0) function returns the number of seconds elapsed since the epoch (00:00:00, January 1, 1970). This still may produce the same sequences if you run the program in the same second.

In Example3.c we have seen how random numbers can be generated between 1 and 10.

In Example4.c we have taken the range from the user and generated a random number within this range. The formula is: rand() % (max – min +1)) + min

In Example5.c, we have seen how we can generate random numbers between float 0.0 and 1.0 The formula is: (float)rand() /RAND_MAX)

In Example6.c, we have taken the range from the user and generated a random number within this range (both inclusive). The formula is: min + ((float)rand() /(RAND_MAX/(max – min)))

Conclusion:

In this article, we have learned how random numbers can be generated using the rand() and srand() function. There are no guarantees about the quality of the random numbers generated by the rand function, but it is good enough for casual use. ]]> https://linuxhint.com/memcpy_function_c_programming/ Thu, 08 Oct 2020 10:44:01 +0000 https://linuxhint.com/?p=70317 In the C language memcpy() function is used to copy a block of memory from one location to another. In this article, we are going to discuss in detail how the memcpy() function is used. So, let’s get started.

Header File:

Syntax:

Arguments:

The function takes 3 arguments:

1. dest :

This is a starting pointer of a memory block where the memory block pointed by src (2nd argument) will be copied. The pointer is declared as void, so any type of memory block can be copied.

2. src :

This is a starting pointer of the source memory block from where the memory block will be copied. The pointer is declared as void, so any type of memory block can be copied.

3. size :

This is the size of the memory block in bytes.

The value of the two pointer dest and src should be in such a way that two memory blocks do not overlap. The size of memory blocks of source and destination must be at least of size (3rd argument) bytes to avoid overlapping situations. If the two memory blocks are overlapped then the behavior of the memcpy() function is undefined. When there is a possibility of overlapping, you can use the memmove() library function where overlapping is well defined. memmove() function is slower compared to memcpy() function.

Due to the value of size, if the source or destination is accessed beyond their buffer length then the behavior of the memcpy() function is undefined.

The memcpy() function does not check to terminate ‘\0’ character.

Return values:

This function returns the value of destination address dest. As the value of dest is already available so, it need not to store in any variable.

Examples:

In Example1.c we have declared two-character array src and dest. The size of the src is 6 and the dest is 13. First, we copied 6 characters ‘H’, ‘e’, ‘l’, ‘l’, ‘o’, ‘\0’ from src to dest ( Line 11 ). In the second memcpy() function copied 8 characters ‘ ’, ‘w’, ‘o’, ‘r’, ‘l’, ‘d’, ‘!’, ‘\0’ to the dest after 5 characters ( Line 15 ). Pictorially we can represent this as follows:

In Example2.c we have declared two structure student1 and student2 (Line 15 and 16). First, we initialize student1 (Line 19, 20, 21). After that, we use memcpy to copy data from student1 to student2.

Conclusion:

In this article, we have learned how to use the memcpy function. We have seen that this function can be used for any type of memory block but this function has some limitations. So, you have to use this function carefully. ]]> https://linuxhint.com/string_length_c_language/ Fri, 02 Oct 2020 17:45:59 +0000 https://linuxhint.com/?p=69761 A string in C language is an array of characters that is terminated with a null character (\0). The string length is the number of characters in a string. In the string length ‘\0,’ a character is not counted.

In the example shown above, the length of the string str is 6.

In this tutorial, first, we will show how to use a user defined function to calculate length of a string, and then we will show you a built-in library function strlen(). We also show you the uses of the sizeof operator for string literals.

String Length Using User Defined Function

You can write a user defined function which returns the number of characters in a string.

Here, we iterate the while loop from i = 0 until we do not encounter the ‘\0’ character. The value of i is increased by 1 in each iteration of the while loop. When the loop ends, the value of i is the length of the string.

String Length Using Built-In Library Function

The built-in library function strlen() can also be used to determine string length.

strlen() function:

Header file:

Syntax:

Argument: This function takes an argument of the type pointer to char.

Return value: This function returns the length of the string str. Note that size_t is just an alias of an unsigned integer.

Here, we pass string array, string pointer, and string literal to the strlen function, and the function returns the length of the string.

String Length Using sizeof Operator

We also can use the sizeof operator for string length (only for string literal). But, we have to subtract 1 from the value returned by this operator, because it also counts the’\0’ character. For array and pointer, the sizeof operator returns the allocated size of the array and the pointer, respectively.

Here, in Line no 9, we pass the string literal “STRING” and get the size, including the ‘\0’ character. So, we subtract 1 and get the actual size of the string.

When we pass an array to the sizeof operator, it returns the allocated size of the array, which is 30, and when passing a character pointer, it returns the size of the pointer.

Conclusion

So, in this tutorial, we have shown you how string length can be calculated in various ways. You can use in your code whichever method is best suited for you.

Two strings can be compared in various ways. In this tutorial, first, we will see a user-defined function to compare two strings, and then we will see some built-in library functions which can be used to compare two strings very easily. So, let’s get started.

String comparison using a user-defined function :

We will write a function stringCompare() to compare strings. We traverse the strings and compare each character of the string until we reach the end of any one or both or one mismatched are found. If the traversal is reached to the end of both the strings, then the strings are matched; otherwise, strings are mismatched.

Here we traverse the strings using while loop and a variable i. When characters are equal in the same position of both strings, the value of i is incremented by 1 (line 13). If characters are not equal (line 09) or we reach the end of the string (line 11), then the while loop is a break. After the while loop, we check both the string traversals are reached to the end or not (line 16). If the traversal is reached to the end of both strings, then the strings are equal otherwise not.

String comparison using built-in library functions :

The following library functions can be used for string comparison. All the functions are declared in the string.h header file.

strcmp() function :

This function compares two strings passed to the function.

Syntax:

Return value: Return 0 if the strings are equal. Return a negative integer if the ASCII value of the first unmatched character of the first string is less than the second string. Return a positive integer if the ASCII value of the first unmatched character of the first string is greater than the second string. Some systems return difference of the ASCII value of first mismatched character and some systems return -1 if the ASCII value of the first unmatched character of the first string is less than the second string and return 1 if the ASCII value of the first unmatched character of the first string is greater than the second string.

strncmp() function :

This function is similar to the function strcmp(), but here we have to specify how many bytes are compared by passing an extra argument to the function.

Syntax:

Return value: The function returns 0 if the first n characters of the two strings are equal; otherwise, it returns negative or positive integer depending on the sign of the differences between the first mismatched character’s ASCII value.

strcasecmp() function :

This function is similar to the function strcmp(), but here the strings are not case sensitive.

Syntax:

Return value: Same as strcmp(), but strings are treated as case-in-sensitive.

strncasecmp() function :

This function is similar to the function strncmp(), but here the strings are not case sensitive.

Syntax:

Return value: Same as strncmp(), when strings are treated as case-in-sensitive.

memcmp() function :

This function compares two memory blocks byte by byte. We have to pass two pointers of the memory blocks and the number of bytes to compare.

Syntax:

Return value: The function returns 0 if the two memory blocks (n bytes) are equal; otherwise, it returns the differences between the first mismatched pair of bytes (bytes are interpreted as unsigned char objects, then promoted to int).

Example:

Following is the C code example of all the functions discussed.

Conclusion:

So, in this tutorial, we have seen how strings can be compared in various ways. As we have seen, the stringCompare() function returns -1 for unequal strings, but this can be modified so that it returns ASCII value of mismatched character. You can use it in your code, which is best suited for you.

The above command should start the Wireshark installation process. If the below screenshot window occurs, we have to press “Yes”.

Once the installation is completed, we can Wireshark version using the below command.

So, installed Wireshark version is 2.6.6, but from official link [https://www.wireshark.org/download.html], we can see the latest version is more than 2.6.6.

To install the latest Wireshark version, follow the below commands.

Or

We can install manually from the below link if the above commands do not help. https://www.ubuntuupdates.org/pm/wireshark

Once Wireshark is installed, we can start Wireshark from the command line by typing

Or

by searching from Ubuntu GUI.

Note that we will try to use the latest Wireshark [3.0.1] for further discussion, and there will be very little differences between different versions of Wireshark. So, everything will not match exactly, but we can understand the differences easily.

We can also follow https://linuxhint.com/install_wireshark_ubuntu/ if we need step by step Wireshark installation help.

Introduction to the Wireshark:

• graphical interfaces and Panels:

Once Wireshark is launched, we can select the interface where we want to capture, and Wireshark window looks like below

Once we choose the correct interface for capturing the whole Wireshark window looks like below.

There are three sections inside Wireshark

• Packet List
• Packet Details
• Packet Bytes

Here is the screenshot for understanding

Packet List: This section displays all packets captured by Wireshark. We can see the protocol column for the type of packet.

Packet Details: Once we click on any packet from Packet List, packet details show supported networking layers for that selected packet.

Packet Bytes: Now, for the selected field of the selected packet, hex (default, It can be changed to binary also) value will be shown under the Packet Bytes section in Wireshark.

• Important Menus and Options:

Here is the screenshot from Wireshark.

Now there are many options, and most of them are self-explanatory. We will learn about those while doing analysis on captures.

Here are some important options are shown using a screenshot.

TCP/IP Fundamentals:

Before going to do packet analysis, we should be aware basics of networking layers [https://linuxhint.com/osi_network_layer_analsysis_wireshark/].

In general, there are 7 layers for the OSI model and 4 Layer for the TCP/IP model shown in the below diagram.

But in Wireshark, we will see below layers for any packet.

Each layer has its job to do. Let’s have one quick look at each layer’s job.

Physical Layer: This layer can transmit or receive raw binary bits over a physical medium like Ethernet cable.

Data Link Layer: This layer can transmit or receive a data frame between two connected nodes. This layer can be divided into 2 components, MAC and LLC. We can see the MAC address of the device in this layer. ARP works in the Data Link Layer.

Network Layer: This layer can transmit or receive a packet from one network to another network. We can see the IP address (IPv4/IPv6) in this layer.

Transport Layer: This layer can transmit or receive data from one device to another using a port number. TCP, UDP are transport layer protocols. We can see the port number is used in this layer.

Application Layer: This layer is closer to the user. Skype, Mail service, etc. are the example of application layer software. Below are some protocols which run in the application layer

HTTP, FTP, SNMP, Telnet, DNS etc.

We will understand more while analyzing the packet in Wireshark.

Live Capture of network traffic

Here are the steps to capture on a live network:

Step1:

We should know where [Which Interface] to capture packets. Let’s understand the scenario for a Linux laptop, which has an Ethernet NIC card and Wireless card.

:: Scenarios ::

• Both are connected and have valid IP addresses.
• Only Wi-Fi is connected, but Ethernet is not connected.
• Only Ethernet is connected, but Wi-Fi is not connected.
• No interface is connected to the network.
• OR there are multiple Ethernet and Wi-Fi cards.

Step2:

Open terminal using Atrl+Alt+t and type ifconfig command. This command will show all up interface with IP address if any interface has. We need to see the interface name and remember. The below screenshot shows the scenario of “Only Wi-Fi is connected, but Ethernet is not connected.”

Here is the screenshot of command “ifconfig” which shows that only wlan0 interface has the IP address 192.168.1.102. That means wlan0 is connected to the network, but ethernet interface eth0 is not connected. This means we should capture on the wlan0 interface to get to see some packets.

Step3:

Launch Wireshark, and you will see the interfaces list on the home page of Wireshark.

Step4:

Now click on the required interface, and Wireshark will start capturing.

See the screenshot to understand live capture. Also, look for Wireshark’s indication for “live capture is in progress” at the bottom of Wireshark.

Color coding of traffic in Wireshark:

We may have noticed from previous screenshots that different types of packets have a different color. Default color coding is enabled, or there is one option to enable color-coding. Look at the screenshot below

Here is the screenshot when color coding is disabled.

Here is the setting for coloring rules at Wireshark

After clicking “Coloring Rules” below window will be opened.

Here we can customize the coloring rules for Wireshark packets for each protocol. But the default setting is quite good enough for capture analysis.

Saving Capture to a file

After stopping the live capture, here are the steps to save any capture.

Step1:

Stop the live capture by clicking below the marked button from screenshot or by using shortcut “Ctrl+E”.

Step2:

Now to save file go to File->save or use shortcut “Ctrl+S”

Step3:

Enter the file name and click on Save.

Loading a Capture file

Step1:

To load any existing saved file, we have to go to File->Open or use the shortcut “Ctrl+O”.

Step2:

Then choose the required file from the system and click open.

What important details can be found in packets that can help with forensic analysis?

To answer questions first, we need to know what kind of network attack we are dealing with. As there are different kinds of network attack which uses different protocols so we can not say any fix Wireshark packet field to identify any issue. We are going to find this answer when we will discuss each networking attack in detail under “Network Attack”.

Creating Filters on traffic type:

There may be many protocols in a capture, so if we are looking for any specific protocol like TCP, UDP, ARP, etc., we need to type the protocol name as a filter.

Example: To show all TCP packets, the filter is “tcp”.

For UDP filter is “udp”

Note that: After typing the filter name, if the color is green, that means it’s a valid filter or else its invalid filter.

Valid Filter:

Invalid Filter:

Creating filters on address:

There are two types of addresses we can think of in case of networking.

1. IP address [Example: X = 192.168.1.6]

Requirement	Filter
Packets where IP is X	ip.addr == 192.168.1.6
Packets where source IP is X	ip.src == 192.168.1.6
Packets where destination IP is X	ip.dst == 192.168.1.6

We can see more filters for ip after following below step shown in the screenshot

2. MAC address [Example: Y = 00:1e:a6:56:14:c0]

This will be similar to previous table.

Like ip, we can also get more filters for eth. See the below screenshot.

Check the Wireshark website for all available filters. Here is the direct link

https://www.wireshark.org/docs/man-pages/wireshark-filter.html

You can also check these links

https://linuxhint.com/filter_by_port_wireshark/

https://linuxhint.com/filter_by_ip_wireshark/

Identify a large amount of traffic being used and what protocol it’s using:

We can take help from Wireshark inbuilt option and find out which protocol packets are more. This is required because when there are millions of packets inside a capture, and also size is huge, it will be difficult to scroll through every packet.

Step 1:

First of all, the total number of packets in the capture file is shown at right bottom side

See below screenshot

Step 2:

Now go to Statistics->Conversations

See below screenshot

Now the output screen will be like this

Step 3:

Now let’s say we want to find out who (IP address) exchanges maximum packets under UDP. So, go to UDP->Click on Packets so that the max packet is displayed on top.

Look at the screenshot.

We can get the source and destination IP address, which exchanges maximum UDP packets. Now the same steps can be used for other protocol TCP also.

Follow TCP Streams to see the full conversation

To see full TCP conversations, follow the below steps. This will be helpful when we want to see what happens for one particular TCP connection.

Here are the steps.

Step1:

Right-click on TCP packet in Wireshark like below screenshot

Step2:

Now go to Follow->TCP Stream

Step3:

Now one new window will be opened showing the conversations. Here is the screenshot

Here we can see HTTP header information and then the content

Now let’s go through some famous networking attacks through Wireshark, understand the pattern of different networking attacks.

Network Attacks:

Network attack is a process to gain access to other network systems and then steal data without knowledge of the victim or inject malicious code, which makes the victim’s system into a mess. In the end, the target is to steal data and make use of it with a different purpose.

There are many types of networking attacks, and here we are going to discuss some of the important networking attacks. We have chosen below attacks such a way that we can cover different types of patterns of attack.

A. Spoofing/ Poisoning Attack (Example: ARP spoofing, DHCP spoofing, etc.)

B. Port Scan Attack (Example: Ping sweep, TCP Half-open, TCP full connect scan, TCP null scan, etc.)

C. Brute force Attack (Example: FTP username and password, POP3 password cracking)

D. DDoS Attack (Example: HTTP flood, SYN flood, ACK flood, URG-FIN flood, RST-SYN-FIN flood, PSH flood, ACK-RST flood)

E. Malware Attacks (Example: ZLoader, Trojans, Spyware, Virus, Ransomware, Worms, Adware, Botnets, etc.)

A. ARP Spoofing:

What is ARP Spoofing?

ARP spoofing is also known as ARP poisoning as an attacker, makes the victim update ARP entry with attacker MAC address. It’s like adding poison to correct ARP entry. ARP spoofing is a networking attack that allows the attacker to divert the communication between network hosts. ARP spoofing is one of the methods for Man in the middle attack( MITM).

Diagram:

This is the expected communication between Host and Gateway

This is the expected communication between Host and Gateway when the network is under attack.

Steps of ARP Spoofing Attack:

Step1: The attacker chooses one network and starts sending broadcast ARP requests to the sequence of IP addresses.

Step2: Attacker checks for any ARP reply.

Step3: If an attacker gets any ARP reply, then the attacker sends the ICMP request to check the reachability to that host. Now the attacker has the MAC address of these hosts whoever sent ARP reply. Also, the host who has sent ARP reply updates its ARP cache with the attacker IP and MAC assuming that that is the real IP and MAC address.

Now from the screenshot, we can say any data comes from 192.168.56.100 or 192.168.56.101 to IP 192.168.56.1 will reach to attacker MAC address, which is claiming as ip address 192.168.56.1.

Step4: After ARP spoofing, there may be multiple attacks like Session hijack, DDoS attack. ARP spoofing is just the entry.

So, you should look for these above patterns to get hints of the ARP spoofing attack.

How to avoid it?

• ARP spoofing detection and prevention software.
• Use HTTPS instead of HTTP
• Static ARP entries
• VPNS.
• Packet filtering.

B. Identify Port Scan attacks with Wireshark:

What is Port scanning?

Port scanning is a type of networking attack where attackers start sending a packet to different port numbers to detect the status of the port if it’s open or closed or filtered by a firewall.

How to detect Port scanning in Wireshark?

Step1:

There are many ways to look into Wireshark captures. Suppose we observe that there are contentious multiple SYN or RST packet in captures. Wireshark Filter: tcp.flags.syn == 1 or tcp.flags.reset == 1

There is another way to detect it. Go to Statistics->Conversions->TCP [Check Packet Column].

Here we can see so many TCP communications with different ports [Look at Port B], but packet numbers are only 1/2/4.

Step2:

But there is no TCP connection observed. Then it’s a sign of port scan.

Step3:

From below capture, we can see SYN packets were sent to port numbers 443, 139, 53, 25, 21, 445, 23, 143, 22, 80. As some of the ports [139, 53, 25, 21, 445, 443, 23, 143] were closed so attacker [192.168.56.1] received RST+ACK. But the attacker received SYN+ACK from port 80 (packet number 3480) and 22 (packet number 3478). This means port 80 and 22 are opened. Bu attacker was not interested in TCP connection it sent RST to port 80 (packet number 3479) and 22 (packet number 3479)

Note that: Attacker can go for TCP 3-way handshake (Shown below), but after that attacker terminates the TCP connection. This is called a TCP full connect scan. This is also one type of port scan mechanism instead of a TCP half-open scan like discussed above.

1. The attacker sends SYN.

2. The victim sends SYN+ACK.

3. Attacker sends ACK

How to avoid it?

You can use a good firewall and intrusion prevention system (IPS). The firewall helps to control ports about its visibility, and IPS can monitor if any port scan is in progress and block the port before anyone gets full access to the network.

C. Brute force Attack:

What is the Brute Force Attack?

Brute Force Attack is a networking attack where the attacker tries a different combination of credentials to break any website or system. This combination may be a user name and password or any information that allows you to enter to system or website. Let’s have one simple example; we often use a very common password like password or password123, etc., for common usernames like admin, user, etc. So if the attacker makes some combination of username and password, this type of system can be easily breakable. But this is one simple example; things can go for a complex scenario also.

Now, we will take one scenario for File Transfer Protocol (FTP) where username and password are used to login. So, the attacker can try multiple usernames and password combinations to get into the ftp system. Here is the simple diagram for FTP.

Diagram for Brute Force Attchl for FTP Server:

FTP Server

Multiple wrong login attempts to FTP Server

One successful login attempt to FTP server

From the diagram, we can see that attacker tried multiple combinations of FTP usernames and passwords and got success after sometime.

Analysis on Wireshark:

Here is the whole capture screenshot.

This is just starting of capture, and we just highlighted one error message from the FTP server. An error message is “Login or password incorrect”. Before the FTP connection, there is a TCP connection, which is expected, and we are not going to details on that.

To see if there is more than one login fail message, we can tale the help of Wireshark filer “ftp.response.code==530” which is the FTP response code for login failure. This code is highlighted in the previous screenshot. Here is the screenshot after using the filter.

As we can see, there are a total of 3 failed login attempts to the FTP server. This indicates there was a Brute Force Attack on the FTP server. One more point to remember that attackers may use botnet, where we will see many different IP addresses. But here for our example, we see only one IP address 192.168.2.5.

Here are the points to remember to detect Brute Force Attack:

1. Login failure for one IP address.

2. Login failure for multiple IP addresses.

3. Login failure for an alphabetically sequential username or password.

Types of Brute Force Attack:

1. Basic brute force attack

2. Dictionary attack

3. Hybrid brute force attack

4. Rainbow table attack

Is the above scenario, we have observed the “Dictionary attack” for cracking the FTP server username and password?

Popular tools used for brute force attack:

1. Aircrack-ng

2. John, the ripper

3. Rainbow crack

4. Cain and Abel

How to avoid Brute Force Attack?

Here are some points for any website or ftp or any other network system to avoid this attack.

1. Increase password length.

2. Increase password complexity.

3. Add Captcha.

4. Use two-factor authentications.

5. Limit login attempts.

6. Lock any user if the user crosses the number of failed login attempts.

D. Identify DDOS attacks with Wireshark:

What is DDOS Attack?

A distributed denial-of-service (DDoS) attack is a process to block legitimate network devices to get the services from the server. There may be many types of DDoS attacks like HTTP flood (Application Layer), TCP SYN (Transport Layer) message flood, etc.

Example Diagram of HTTP Flood:

HTTP SERVER

From the above diagram, we can see the Server receives many HTTP requests, and the server gets busy in service of those HTTP requests. But when a legitimate client sends an HTTP request, the server is unavailable to reply to the client.

How to Identify HTTP DDoS attack in Wireshark:

If we open a capture file, there are many HTTP requests (GET/POST, etc.) from different TCP source port.

Used filter: “http.request.method == “GET”

Let’s see the captured screenshot to understand it better.

From the screenshot, we can see attacker ip is 10.0.0.2, and it has sent multiple HTTP requests using different TCP port numbers. Now server got busy sending HTTP reply for all those HTTP requests. This is the DDoS attack.

There are many types of DDoS attacks using different scenarios like SYN flood, ACK flood, URG-FIN flood, RST-SYN-FIN flood, PSH flood, ACK-RST flood, etc.

Here is the screenshot for the SYN flood to the server.

Note that: The basic pattern of DDoS attack is there will be multiple packets from the same IP or different IP using different ports to the same destination IP with high frequency.

How to stop the DDoS attack:

1. Immediately report to the ISP or Hosting provider.

2. Use the Windows firewall and contact your host.

3. Use DDoS detection software or routing configurations.

E. Identify Malware attacks with Wireshark?

What is Malware?

Malware words came from Malicious Software. We can think of Malware as a piece of code or software that is designed to do some damage on systems. Trojans, Spyware, Viruses, ransomware are different types of malware.

There are many ways malware gets into the system. We will take one scenario and try to understand it from Wireshark capture.

Scenario:

Here in example capture, we have two windows systems with IP address as

10.6.12.157 and 10.6.12.203. These hosts are communicating with the internet. We can see some HTTP GET, POST, etc. operations. Let’s find out which windows system got infected, or both got infected.

Step1:

Let’s see some HTTP communication by these hosts.

After using the below the filter, we can see all HTTP GET request in the capture

“http.request.method == “GET””

Here is the screenshot to explain the content after the filter.

Step2:

Now out of these, the suspicious one is GET request from 10.6.12.203, so we can follow TCP stream [see below screenshot] to find out the more clearly.

Here are the findings from following TCP stream

Step3:

Now we can try exporting this june11.dll file from pcap. Follow the below screenshot steps

a.

b.

c. Now click on Save All and select destination folder.

d. Now we can upload june11.dll file to virustotal site and get the output as below

This confirms that june11.dll is a malware that got downloaded to the system [10.6.12.203].

Step4:

We can use the below filter to see all http packets.

Used Filter: “http”

Now, after this june11.dll got into the system we can see there is multiple POST from 10.6.12.203 system to snnmnkxdhflwgthqismb.com. The user did not do this POST, but the downloaded malware started doing this. It’s very difficult to catch this type of issue on run time. One more point to be noticed that the POST are simple HTTP packets instead of HTTPS, but most of the time, ZLoader packets are HTTPS. In that case, it’s quite impossible to see it, unlike HTTP.

This is HTTP post-infection traffic for ZLoader malware.