:wq - blog » terminal

Annoyance, colored diffs in perforce

Lee — Mon, 01 Feb 2010 15:40:09 +0000

Quick one-off here, let’s begin.

Git has nice colored diffs, like this:

Perforce does not:

A simple script can remedy this:

Here’s the script:

Simply drop it somewhere in your $PATH and use it like so:

p4 diff | p4c.rb

You can find it in my one-offs directory (it’s called p4c.rb). We recently switched from subversion to perforce (definitely not my choice, I pushed for git), and so far it’s awful. I am definitely not a fan. This makes it a little better.

Vim setup explained

Lee — Mon, 15 Sep 2008 01:18:49 +0000

Since my site is named after a Vim command. I figured that I should eventually write something talking about my favorite text editor, and how I like it configured. What follows is the explanation of my .vimrc, as well as a description of the plugins that I use. A lot of the credit for this configuration goes to Bart Trojanowski, who has an excellent Vim configuration. At the bottom I’ll have a link to download any of the files themselves if you so desire. I hope you find it useful (everything in fixed-width font is the actual text, everything else is comments about it):

My ~/.vimrc:

Modelines have been abused in the past, and while I haven’t heard of anything lately that would abuse them, it’s always better safe than sorry. This requires the securemodelines vim script

" ---------------------------------------------------------------------------
" first the disabled features due to security concerns
set modelines=0               " no modelines [http://www.guninski.com/vim1.html]
let g:secure_modelines_verbose=0 " securemodelines vimscript
let g:secure_modelines_modelines = 15 " 15 available modelines

Since these are all simple features, I won’t bother to explain them besides the inline comments:

" ---------------------------------------------------------------------------
" operational settings
syntax on
set ruler                     " show the line number on the bar
set more                      " use more prompt
set autoread                  " watch for file changes
set number                    " line numbers
set hidden
set noautowrite               " don't automagically write on :next
set lazyredraw                " don't redraw when don't have to
set showmode
set showcmd
set nocompatible              " vim, not vi
set autoindent smartindent    " auto/smart indent
set expandtab                 " expand tabs to spaces
set smarttab                  " tab and backspace are smart
set tabstop=6                 " 6 spaces
set shiftwidth=6
set scrolloff=5               " keep at least 5 lines above/below
set sidescrolloff=5           " keep at least 5 lines left/right
set backspace=indent,eol,start
set showfulltag               " show full completion tags
set noerrorbells              " no error bells please
set linebreak
set cmdheight=2               " command line two lines high
set undolevels=1000           " 1000 undos
set updatecount=100           " switch every 100 chars
set complete=.,w,b,u,U,t,i,d  " do lots of scanning on tab completion
set ttyfast                   " we have a fast terminal
filetype on                   " Enable filetype detection
filetype indent on            " Enable filetype-specific indenting
filetype plugin on            " Enable filetype-specific plugins
compiler ruby                 " Enable compiler support for ruby
set wildmode=longest:full
set wildignore+=*.o,*~,.lo    " ignore object files
set wildmenu                  " menu has tab completion
let maplocalleader=','        " all my macros start with ,
set foldmethod=syntax         " fold on syntax automagically, always
set foldcolumn=2              " 2 lines of column for fold showing, always

set dictionary=/usr/share/dict/words " more words!

I do like candycode for my terminals (which tend to be black) and I like macvim for my GUI, so I change schemes depending on which I’m using.

if !has("gui_running")
      colorscheme candycode   " yum candy
end
if has("gui_running")
      colorscheme macvim      " macvim == win
      set guioptions-=T       " no toolbar
      set cursorline          " show the cursor line
end

For the taglist plugin, I want it to appear on the right and to quick vim as soon as I close the last file I’m working on.

" Settings for taglist.vim
let Tlist_Use_Right_Window=1
let Tlist_Auto_Open=0
let Tlist_Enable_Fold_Column=0
let Tlist_Compact_Format=0
let Tlist_WinWidth=28
let Tlist_Exit_OnlyWindow=1
let Tlist_File_Fold_Auto_Close = 1

Misc TOhtml settings

" Settings for :TOhtml
let html_number_lines=1
let html_use_css=1
let use_xhtml=1

My status line is basically [] [+] # /,

" ---------------------------------------------------------------------------
" status line
set laststatus=2
if has('statusline')
        function! SetStatusLineStyle()
                let &stl="%f %y "                       .
                        \"%([%R%M]%)"                   .
                        \"%#StatusLineNC#%{&ff=='unix'?'':&ff.'\ format'}%*" .
                        \"%{'$'[!&list]}"               .
                        \"%{'~'[&pm=='']}"              .
                        \"%="                           .
                        \"#%n %l/%L,%c%V "              .
                        \""
        endfunc
        call SetStatusLineStyle()

        if has('title')
                set titlestring=%t%(\ [%R%M]%)
        endif

endif

More simple search options, see inline comments

" ---------------------------------------------------------------------------
"  searching
set incsearch                 " incremental search
set ignorecase                " search ignoring case
set hlsearch                  " highlight the search
set showmatch                 " show matching bracket
set diffopt=filler,iwhite       " ignore all whitespace and sync

I *occasionally* use the mouse. If I have to.

" ---------------------------------------------------------------------------
"  mouse stuffs
set mouse=a                   " mouse support in all modes
set mousehide                 " hide the mouse when typing
" this makes the mouse paste a block of text without formatting it
" (good for code)
map  "*p

I prefer not to litter my current directory with backup files, so I put them all in ~/.backup. I also save a lot of line positions in the viminfo file.

" ---------------------------------------------------------------------------
"  backup options
set backup
set backupdir=~/.backup
set viminfo=%100,'100,/100,h,\"500,:100,n~/.viminfo
set history=200
"set viminfo='100,f1

I use ,ss to toggle between spellcheck on and spellcheck off.

" ---------------------------------------------------------------------------
" spelling...
if v:version >= 700

  setlocal spell spelllang=en
  nmap ss :set spell!

endif

Here are all the keyboard shortcuts I use most often:

" ---------------------------------------------------------------------------
" some useful mappings
" Y yanks from cursor to $
map Y y$
" for yankring to work with previous mapping:
function! YRRunAfterMaps()
    nnoremap Y   :YRYankCount 'y$'
endfunction
" toggle list mode
nmap tl :set list!
" toggle paste mode
nmap pp :set paste!
" change directory to that of current file
nmap cd :cd%:p:h
" change local directory to that of current file
nmap lcd :lcd%:p:h
" correct type-o's on exit
nmap q: :q
" save and build
nmap wm  :w:make
" open all folds
nmap fo  :%foldopen!
" close all folds
nmap fc  :%foldclose!
" ,tt will toggle taglist on and off
nmap tt :Tlist
" ,nn will toggle NERDTree on and off
nmap nn :NERDTreeToggle
" When I'm pretty sure that the first suggestion is correct
map r 1z=

I use this one quite often, as I often forget to do “sudo vim file” in the first case, now I don’t have to exit vim to write the file with sudo.

" If I forgot to sudo vim a file, do that with :w!!
cmap w!! %!sudo tee > /dev/null %
" ruby helpers
iab rbang #!/usr/bin/env ruby
iab idef def initialize

I think candycode looks good in all the color modes, but it’s still nice to set it up for different terms.

" ---------------------------------------------------------------------------
" setup for the visual environment
if $TERM =~ '^xterm'
        set t_Co=256
elseif $TERM =~ '^screen-bce'
        set t_Co=256            " just guessing
elseif $TERM =~ '^rxvt'
        set t_Co=88
elseif $TERM =~ '^linux'
        set t_Co=8
else
        set t_Co=16
endif

Switch between tabs with ,tn and ,tp

" ---------------------------------------------------------------------------
" tabs
" (LocalLeader is ",")
map tc :tabnew %    " create a new tab
map td :tabclose    " close a tab
map tn :tabnext     " next tab
map tp :tabprev     " previous tab
map tm :tabmove         " move a tab to a new location

Load extensions we need and change some format options for markdown files.

" ---------------------------------------------------------------------------
" auto load extensions for different file types
if has('autocmd')
        filetype plugin indent on
        syntax on

        autocmd BufReadPost *
                \ if line("'\"") > 0|
                \       if line("'\"") <= line("$")|
                \               exe("norm '\"")|
                \       else|
                \               exe "norm $"|
                \       endif|
                \ endif

        " improve legibility
        au BufRead quickfix setlocal nobuflisted wrap number

        " improved formatting for markdown
        " http://plasticboy.com/markdown-vim-mode/
        autocmd BufRead *.mkd  set ai formatoptions=tcroqn2 comments=n:>
        autocmd BufRead ~/.blog/entries/*  set ai formatoptions=tcroqn2 comments=n:>
endif

And that’s the .vimrc

Here are some of the plugins that I used:

NERD Commenter – auto comment sections of code
NERD Tree – display file tree for directories, like a project view
Alternate – Alternate between implementation and header files
Compview – Search for a word and display a window with results
GetLatestVimScript – Get the latest version of scripts
Matchit – Extended % matching
Rails – Tons of RoR stuff
Securemodelines – Secure modeline support
Taglist – display a list of tags from the file
VCScommand – help with files under revision control
Vimball – install vimball plugins
Yankring – have a ring of copy/paste buffers for history pasting
C – A collection of helpful things for C (Although mine is heavily customized)

Enough with text, here’s a couple of screenshots of how it looks:

I maintain a pretty-up-to-date copy of most of my configuration files in my github dotfile repository, that’s the best way to get this configuration as well as all the plugins that I use, you can download a tarball of all the files from the github (direct link: here) page as well.

Well, hope someone out there finds these configuration files useful. I welcome any feedback

Soon to come: an explanation of the project that I’ve been working on that has taken me away from blogging for so long, an Intrusion Detection System based on Locality events.

Update 10/23/08: After some theme changes, updated screenshot (no NERDtree or taglist shown in the image):

Update 12/9/09: Been over a year, just for a teaser of what it looks like now:

Compiling screen from CVS on OSX for vertical split.

Lee — Fri, 06 Jun 2008 15:41:59 +0000

Screen in an amazing tool. The latest version from CVS adds an amazing feature to allow you to split screens vertically (previously you could only split horizontally), which is extremely nice if you have a widescreen monitor. The only problem is that the patch isn’t yet included in MacPorts or Fink for this feature.

Here’s how to fetch it from source, patch it and build it yourself on OSX (tested on 10.5.3). First we need to check out the source:

shell> cvs -z3 -d:pserver:anonymous@cvs.savannah.gnu.org:/sources/screen co screen

Next, we need to manually apply the patches from MacPorts (assuming you’ve used MacPorts before). First change into the screen directory and apply the following 3 patches:

shell> cd screen/src shell> patch < /opt/local/var/macports/sources/rsync.macports.org/ release/ports/sysutils/screen/files/patch-maxargs shell> patch < /opt/local/var/macports/sources/rsync.macports.org/ release/ports/sysutils/screen/files/patch-windowsize shell> patch < /opt/local/var/macports/sources/rsync.macports.org/ release/ports/sysutils/screen/files/patch-pty.c

(Each of those should be on one line, I had to split them up to make the wrapping better).

Now, configure using the same method as the macports:

shell> ./configure --enable-locale --enable-telnet --enable-colors256 --enable-rxct_osc

From there, you should be able to do a make and make install to get your screen up and running. Vertical-split is bound to ctrl+a – | (control-a and pipe) (substitute whatever your bind key is for ctrl+a). Then you can use ctrl+a – :resize to resize the window, where is x%, -x, +x or x. Here’s a screenshot of it in action:

Decoding the SANS Christmas packet challenge using only NSM-Console

Lee — Sat, 12 Jan 2008 00:12:30 +0000

In my never-ending quest to find justification for writing NSM-Console, I hereby present the following tutorial on how to decode the SANS Christmas packet challenge using nothing but NSM-Console:

I’m going to be using NSM-Console version 0.4-DEVEL, which adds the features that allow this analysis to be performed without external tools. You can get the development version here. Alright, let’s get this party started:

First things first, the fellows at SANS point you to the first packet in the xmas_Starter.pcap file, so let’s load up NSM-Console with the packet capture

./nsm ~/xmas_Starter.pcap

Next, let’s do a printout of all the packets in this dump (since it’s a small file, there shouldn’t be too many)

nsm> p * Args: * Filename: /Users/hinmanm/xmas_Starter.pcap list from 1 to * 1 1198471642.61773 192.168.25.1 -> 192.168.25.255 UDP 138 > 138 Len=243 2 1198471662.79806 192.168.25.100 -> 192.168.25.128 TCP 7337 > 1000 Len=254 3 1198471662.79813 192.168.25.128 -> 192.168.25.100 TCP 1000 > 7337 Len=58 4 1198471662.79877 192.168.25.100 -> 192.168.25.128 TCP 7337 > 1000 Len=60 5 1198471663.79691 192.168.25.100 -> 192.168.25.128 TCP 7337 > 1000 Len=254 6 1198471663.79697 192.168.25.128 -> 192.168.25.100 TCP 1000 > 7337 Len=58
… etc, etc, etc, to a total of 25 packets

Well, the SANS guide says to start at packet #1, so let’s take a look at it

nsm> p -x 1
(see image for output)

Whoops, this doesn’t look like useful output, maybe they meant the first TCP packet? (Instead of UDP). Looks like the first TCP packet is #2, so let’s look at that one:

nsm> p -x 2 Args: 2 Filename: /Users/hinmanm/xmas_Starter.pcap full from 2 to 2 2 1198471662.79806 192.168.25.100 -> 192.168.25.128 TCP 7337 > 1000 Len=254 0010 53 57 34 67 64 47 68 6c 49 47 31 76 64 6d 6c 6c SW4gdGhlIG1vdmll 0020 49 45 45 67 51 32 68 79 61 58 4e 30 62 57 46 7a IEEgQ2hyaXN0bWFz 0030 49 45 4e 68 63 6d 39 73 4c 43 42 6f 62 33 63 67 IENhcm9sLCBob3cg 0040 62 57 46 75 65 53 42 75 61 57 64 6f 64 43 68 7a bWFueSBuaWdodChz 0050 4b 53 42 6b 61 57 51 67 64 47 68 6c 49 48 52 6f KSBkaWQgdGhlIHRo 0060 63 6d 56 6c 49 48 4e 77 61 58 4a 70 64 48 4d 67 cmVlIHNwaXJpdHMg 0070 59 32 39 74 5a 53 42 30 62 79 42 32 61 58 4e 70 Y29tZSB0byB2aXNp 0080 64 44 38 3d 00 00 00 00 00 00 00 00 00 00 00 00 dD8=............ 0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Ahh, that looks like more readable output, due to the string ending with “=”, it’s most likely encoded in base64 (since = is used for padding). Let’s output the string in just plain ascii so we can decode it easier

nsm> p -a 2 Args: 2 Filename: /Users/hinmanm/xmas_Starter.pcap ascii from 2 to 2 2 1198471662.79806 192.168.25.100 -> 192.168.25.128 TCP 7337 > 1000 Len=254 SW4gdGhlIG1vdmllIEEgQ2hyaXN0bWFzIENhcm9sLCBob3cgbWFueSBuaWdodChz KSBkaWQgdGhlIHRocmVlIHNwaXJpdHMgY29tZSB0byB2aXNpdD8=...................... ..............................................................

(I put line breaks in so it wouldn’t distort the page)
Okay, let’s take this line and decode it to get our first clue

nsm> decode base64 SW4gdGhlIG1vdmllIEEgQ2hyaXN0bWFzIENhcm9sLCBob3cgbWFueSBuaWdodChz KSBkaWQgdGhlIHRocmVlIHNwaXJpdHMgY29tZSB0byB2aXNpdD8= Decoding base64 --> ascii... Output ([]'s added to show beginning and end):

[In the movie A Christmas Carol, how many night(s) did the three spirits come to visit?]

Alright! Got the clue! Now let’s load up our answer file and get the next one

nsm> file /Users/hinmanm/xmas_challenge_2007.pcap Setting ${PCAP_FILE} = /Users/hinmanm/xmas_challenge_2007.pcap Setting ${PCAP_BASE} = xmas_challenge_2007.pcap

Since the 3 spirits came on 1 night, we know our next answer is in packet #1, so let’s take a look

nsm> p -a 1 Args: 1 Filename: /Users/hinmanm/xmas_challenge_2007.pcap ascii from 1 to 1 1 1194153111.12232 192.168.25.100 -> 192.168.25.128 TCP 7337 > 1000 Len=154 QWxsIEkgd2FudCBmb3IgQ2hyaXN0bWFzIGlzIG15IF9fX18gRnJvbnQgVGVldG gu....................................

Aha! Another base64 encoding, let’s decode it

nsm> decode base64 QWxsIEkgd2FudCBmb3IgQ2hyaXN0bWFzIGlzIG15 IF9fX18gRnJvbnQgVGVldGgu Decoding base64 --> ascii... Output ([]'s added to show beginning and end):

[All I want for Christmas is my ____ Front Teeth.]

Alright, I think this shows the basic idea, and since this post is to illustrate some of the new features of NSM-Console (rather than the solution to the puzzle), let’s skip on ahead.

Packet 2 leads you to packet 3
Packet 3 leads you to packet 9
Packet 9 leads you to packet 11
Packet 11 leads you to packet 12
Packet 12 leads you to packet 359

Here’s where things start to get a little more interesting, printing out packet 359 shows that it doesn’t look like it’s encoded base64 anymore, in fact it looks like it’s urlescaped

nsm> p -x 359 Args: 359 Filename: /Users/hinmanm/xmas_challenge_2007.pcap full from 359 to 359 359 1194153771.83615 192.168.25.100 -> 192.168.25.128 TCP 7337 > 1000 Len=154 0010 38 37 25 32 30 31 30 31 25 32 30 4e 55 4c 4c 25 87%20101%20NULL% 0020 32 30 31 31 39 25 32 30 31 30 35 25 32 30 31 31 20119%20105%2011 0030 35 25 32 30 31 30 34 25 32 30 4e 55 4c 4c 25 32 5%20104%20NULL%2 0040 30 31 32 31 25 32 30 31 31 31 25 32 30 31 31 37 0121%20111%20117 0050 25 32 30 4e 55 4c 4c 25 32 30 39 37 25 32 30 4e %20NULL%2097%20N 0060 55 4c 4c 25 32 30 37 37 25 32 30 31 30 31 25 32 ULL%2077%20101%2

Also, the SANS challenge mentions that the message may or may not be in multiple packets, so let’s check the next one

nsm> p -x 360 Args: 360 Filename: /Users/hinmanm/xmas_challenge_2007.pcap full from 360 to 360 360 1194153772.83062 192.168.25.100 -> 192.168.25.128 TCP 7337 > 1000 Len=154 0010 25 32 30 31 31 34 25 32 30 31 32 31 25 32 30 4e %20114%20121%20N 0020 55 4c 4c 25 32 30 36 37 25 32 30 31 30 34 25 32 ULL%2067%20104%2 0030 30 31 31 34 25 32 30 31 30 35 25 32 30 31 31 35 0114%20105%20115 0040 25 32 30 31 31 36 25 32 30 31 30 39 25 32 30 39 %20116%20109%209 0050 37 25 32 30 31 31 35 25 32 30 34 34 25 30 44 25 7%20115%2044%0D% 0060 30 41 38 37 25 32 30 31 30 31 25 32 30 4e 55 4c 0A87%20101%20NUL

Looks like a continuation, if you print out a few more, you find out that the data stops in packet #365, let’s print out all the packets so we can see what the data looks like

nsm> p -x 359-365
(see picture for output, too long to paste here)

Alright, looks like we’ve got our message, let’s decode it

nsm> p -a 359-365
gives us:

nsm> decode urlescape
shows:

That looks like decimal ascii values, let’s decode the values using the “char” decoding

nsm> decode char
Here’s the output from decoding each of the 3 lines:

And look! There’s our message (I replaced all the ‘NULL’s with spaces):

We wish you a Merry Christmas, We wish you a Merry Christmas, We wish you a Merry Christmas and a Happy New Year!!!

Merry Christmas to you too SANS, and thanks for the awesome challenge!

You can check out SANS’ solution for the challenge here.
You can check out Geek00l’s full solution for the challenge here.

If it wasn’t for this challenge, we might not have had the idea to include these features in NSM-Console, I’m glad we did and I hope it proves useful to the rest of the packet monkeys out there

P.S. A big thank-you to Scholar for letting me use his pcap parsing library, thus eliminating the dependency on any 3rd party libraries to do all the packet reading, thanks a bunch!

Have another idea for a feature that should be in NSM-Console? Shoot me an email or leave a comment!