Tuesday, August 13, 2013

Get Windows hostname from IP address via Samba

You can tell it's likely to be a Windows box by what ports it has open...

"The target host OS can often be guessed simply by looking at the ports which are open. Microsoft Windows machines often have TCP ports 135 and 139 open. Windows 2000 and newer also listen on port 445." ( from: http://nmap.org/book/osdetect-other-methods.html )

Once you've identified it's a Windows host, how can you tell which one?

Try this:

$ nmblookup -A 12.34.56.78
Looking up status of 12.34.56.78
        HOSTNAME        <00> -         M <ACTIVE>
        DOMAINNAME      <00> - <GROUP> M <ACTIVE>
        HOSTNAME        <1f> -         M <ACTIVE>
        HOSTNAME        <20> -         M <ACTIVE>
        DOMAINNAME      <1e> - <GROUP> M <ACTIVE>

        MAC Address = 00-11-22-33-44-55

Tuesday, August 06, 2013

swap usage...

To find out how much swap processes are using...

On Solaris:

ps -eo vsz,rss,pid,args | sort -n top -b -o size

Total swap used by pid

pmap -S $PID | tail -1 | awk '{print $4}'
20236


Don't really want to use these:

prstat -s rss
prstat -s size


Size: total virtual memory size of the process, including all mapped files and devices.
RSS: should be the resident set size, but is completely unreliable.

On Linux:


#!/usr/bin/perl -s

use warnings;
use strict;

if ( $< != 0 ) {
    die "ERROR: $0 Needs to be run as root\n";
}
our ($c,$m,$n,$t);

opendir(my $proc,"/proc");

my $pids;
my $total;

for my $pid (grep {/^[0-9]+$/} readdir($proc)) {

    #
    # If the process has terminated already, skip on to the next one.
    #
    open(my $smaps, "/proc/$pid/smaps") || next;
    while(<$smaps>) { next if !/^Swap:\s+(\d+) kB$/; $pids->{$pid}->{swap} += $1; }
    close($smaps);

    if ( $pids->{$pid}->{swap} ) {

        open(my $cmdline, "/proc/$pid/cmdline");
        while(<$cmdline>) { s/\0/ /g; $pids->{$pid}->{cmdline} = $_; }
        $total += $pids->{$pid}->{swap};

    } else {

        delete $pids->{$pid};

    }

}

if ( $c && ! $n ) {
    print "  PID   Swap Cmd\n";
}
for my $pid ( sort { $pids->{$b}{swap} <=> $pids->{$a}{swap} } keys %$pids ) {

    # Only report procs > 1MB
    next if $pids->{$pid}->{swap} < 1024;
    # Specify minimum size (MB) to report
    # print "m [$m] swap[$pids->{$pid}->{swap}]\n";
    next if ( $m && $pids->{$pid}->{swap} < $m * 1024 );
    if ( $c ) {
        printf "%5d %4dMB %s\n", $pid, $pids->{$pid}->{swap} / 1024, $pids->{$pid}->{cmdline};
    } else {
        printf "%5d %4dMB\n", $pid, $pids->{$pid}->{swap} / 1024;
    }

}

if ( $t ) {
    printf "Total: %dMB\n", ${total} / 1024;
}