Port Flapping –Layer One At Its Finest

 The great thing about working in a small IT shop is that you get exposed to variety of troubleshooting, installation and support issues. I have worked in many large IT departments where every technology discipline is siloed. Trust me, I totally understand why that is the case, and have no issues with that type of environment.

I do believe though that, even in those environments, there would be a benefit for people to work for a day or two in different silos to get some knowledge transfer, senior staff can mentor and share some of their tribal technical knowledge with staff ad build some internal relationships and collaboration.

On to the point of the article. I have been handed problems lately that have had other technicians stumped – usually due to the fact that these bright technicians are swamped and cant dedicate a lot of time on these issues.

The last three issues all had the same trend – ‘port flapping’.

My definition of ‘port flapping’ is simply a port that goes up/down or connect/disconnect state an ‘excessive’ number of times an hour or day.

It’s important to compare your data with other ports with similar devices to make sense and provide relevant findings. For example, in one case a new printer was installed and that port was flapping over a thousand times a day, where other printers on the same switch had zero.

When a port is flapping here is the methodology I follow:

-          Check port statistics and look for errors, lower than expected negotiated speeds or half-duplex

• Is there a pattern when it flaps – just during office hours?

• What is on the end of it

• ensure that spanning tree isnt the root cause

Lately I have been working with Ubiquiti Edgeswtiches and they have a neat cable test feature as well as ‘inspect’ that basically shows you the packets on that port. I have been documenting tips and tricks on using the edgeswitch features, like cable test and the ‘inspect’ packet viewer. I also documented some odd behaviors to look out for like error counters that don’t advance or reset, depending on the specific layer one issue and using the ‘legacy’ screen that has a ton more options.

One ticket the root cause was the internal cabling. The access point was going off line once a  minute. We moved the access point into the telecom room and it ran for a day without an issue. Then we moved it back out to 2 different offices, that were close to one another with the same issue. Finally, we tried an office on the opposite side of the building and no issues. During the troubleshooting process I had them try a new patch cable at the AP and the telecom room side, just to be through.

 

The last 2 tickets I worked one was caused by a printer’s power saving settings and the interesting part is when I accessed the printer’s power settings it looked like this.

Remote Wireshark Capture Using SSH

 

Back in the day when Wireshark used Winpcap, I did a write up on how to remotely connect to another computer and capture some packets as well as show people in my training sessions.

When Wireshark went to npcap, that remote feature seemed to have disappeared.

To be clear, I am not suggesting this tip will replace a packet capture appliance, but like I said in the video, it works great in a pinch and I encourage you to try it.

Sentimental Sundays - Nokia 3310

 The Nokia 3310, first introduced in 2000, quickly became a cultural icon due to its simplicity, durability, and unmatched battery life. With over 126 million units sold worldwide, it stood out in a crowded market with its robust build and long-lasting battery, capable of 55 hours of talk time and up to 245 hours of standby time. The phone's design was minimalist, featuring an 84 × 48 pixel pure monochrome display and a sturdy frame that could withstand significant wear and tear. Its popularity was not just limited to its practical features; it also offered a range of utilities such as a calculator, network monitor, stopwatch, and reminder function, along with four built-in games, including the iconic Snake II.

In 2017, Nokia reintroduced the 3310, incorporating modern elements while retaining the classic design that fans loved. The new version featured a 2.4-inch color display, a 2-megapixel rear camera, and a microSD slot, making it a blend of nostalgia and contemporary functionality. However, the rebooted model faced criticism for being less of a throwback to the original and more of a sleek, modern device. Despite this, it still offered impressive battery life and the return of the beloved Snake game, appealing to those who wanted a simpler, more straightforward mobile experience. The new Nokia 3310 came in four distinct colors: Warm Red and Yellow with a gloss finish, and Dark Blue and Grey with a matte finish, catering to a variety of personal preferences.

Some trivia about the Nokia 3310 includes its impressive durability, which earned it the nickname "The Unbreakable" in Finland, where it was chosen as one of the country's national emojis. The phone's battery life was legendary, with the original model boasting up to 245 hours of standby time, far surpassing the battery life of modern smartphones. Additionally, the 3310 was one of the first phones to allow users to compose their own ringtones through a built-in app called "the composer," which provided a list of options for each key press. The phone also featured a messaging character limit of 459 characters, three times the standard limit of 160 characters at the time, making it a standout feature for SMS enthusiasts.

Over 16,000 Fortinet devices compromised with symlink backdoor

 

Over 16,000 internet-exposed Fortinet devices have been detected as compromised with a new symlink backdoor that allows read-only access to sensitive files on previously compromised devices.

This exposure is being reported by threat monitoring platform The Shadowserver Foundation, which initially reported 14,000 devices were exposed.

click the image to read the article https://www.bleepingcomputer.com/news/security/over-16-000-fortinet-devices-compromised-with-symlink-backdoor/

Wireshark - my mac filter

This is a basic classic and essential capture filter that I use and teach others to use for many years.

It’s a pretty simple filter but at the same time is very powerful when performing application baselines, troubleshooting, or just trying to learn about protocols.

Using a capture MAC filter in Wireshark offers several key benefits for network analysis, particularly when troubleshooting or monitoring specific devices on a network. A capture MAC (Media Access Control) filter allows users to focus on traffic related to a particular device by filtering packets based on their unique MAC address, which is a hardware identifier assigned to network interfaces. This is especially useful in environments with heavy network traffic, where isolating relevant data can save time and reduce the complexity of analysis. By applying a MAC filter during the capture process, Wireshark only records packets sent to or from the specified device, effectively narrowing the scope of data to what’s most pertinent to the task at hand.

One major advantage of this approach is improved efficiency. Without a filter, Wireshark captures all network traffic passing through the monitored interface, which can result in large, unwieldy packet captures filled with irrelevant data. This can overwhelm users, especially in busy networks like corporate LANs or public Wi-Fi systems. A MAC filter eliminates this noise upfront, reducing the capture file size and making it easier to analyze specific communications, such as identifying connectivity issues, diagnosing latency, or detecting unauthorized activity tied to a single device. For example, if a network administrator suspects a particular workstation is malfunctioning, they can apply a capture MAC filter to track only that device’s traffic without wading through unrelated packets.

Additionally, using a capture MAC filter enhances precision in scenarios where IP addresses might change or be less reliable for tracking, such as in DHCP environments where devices frequently receive new IPs. Since MAC addresses are tied to the hardware and remain constant (unless spoofed), they provide a stable reference point for monitoring a specific device over time. This can be critical for security investigations, like tracing the source of a potential attack, or for performance audits targeting a known piece of equipment. While display filters in Wireshark can also isolate traffic after capture, applying a MAC filter at the capture level ensures that system resources aren’t wasted collecting unnecessary data, making it a proactive and resource-efficient choice for targeted network analysis.

---