Take a view: Landscape Photographer of the Year 2008

Posted on By Mark Wilson

Earlier this evening, I dropped by London’s National Theatre to take a look at the free exhibition of images from this year’s Landscape Photographer of the Year competition. Promoted by renowned landscape photographer Charlie Waite, this exhibition features images of the highest standards that highlight the very best of our varied country. With everything from London skylines made up of 15 images stitched together (and almost a year of effort to capture them) to the Glastonbury Festival captured on a mobile phone (demonstrating that excelling at photography is about far more than just the equipment), I was captivated by the vistas, seascapes and iconic structures featured in the exhibition. I had to laugh too when I read the photographers’ captions and my long-suffering wife should draw some comfort that she is not alone in being deserted for a photo opportunity – Adam Burton tells of how he searched for the ultimate picture of Bambrough Castle on a trip to celebrate their first wedding anniversary and Ian Cameron told of how he “begged his wife for a few minutes to photograph [hoar-frosted fields at dusk]” and “returned to the car, an hour and ten rolls of film later, grinning from ear to ear”.

Landscape Photographer of the Year - Collection 2 (book cover)There’s also an accompanying book (Landscape Photographer of the Year: Collection 2), published by the AA (available from the National Theatre bookshop for £25).

In addition to the free exhibition at the National Theatre, Charlie Waite will be giving talks on Seeing Landscapes at the theatre on four dates (11:30 on 8/9 December 2008 and 5/6 January 2009). I’ve heard Charlie speak before and found him inspirational so I’ll be there to hear him speak again – tickets are £5 from the National Theatre box office.

Using Wireshark for basic packet capture and analysis

Posted on By Mark Wilson

As I’m trying to get my head around the notes I made from last week’s Wireshark webcast by Mike Pennacchi of Network Protocol Specialists, I thought I’d post the highlights here – these are just my notes with very little interpretation or linking out to other sites, so check out the video for more detail:

  • Analyser placement is critical to successful network troubleshooting – switched networks provide direct traffic so you can’t just plug in and view everything right away.
  • Three common methods for monitoring a switched network are:
    • Spanning/port mirroring – copying ingress and egress traffic between switch ports to form a single data stream – even for an entire VLAN (although it’s likely that would exceed the capabilities of the destination port).
      • Advantages include: configuration requires no interruption to traffic flow; multiple ports can be sent to a single port; remote spanning is possible between switches; some switches can filter packets as part of the spanning.
      • Disadvantages include: configuration requires access to the switch; not all switches fully support spanning; has been known to cause problems.
    • Tap – for monitoring full duplex traffic, including physical errors, passing traffic between devices in a fault tolerant manner.
      • Taps may be fibre or copper-based.
        • Fibre taps require no power and will split the signal using a ratio intended to provide the greatest signal level to the destination and a usable signal for analysis.
        • Most copper taps regenerate the signal (and will pass the signal on directly in the event of power failure).
      • Port aggregation taps can internally combine data streams, allowing a single port to capture full duplex traffic and also to buffer traffic when the combined data rate exceeds the egress data rate for the port. They can be:
        • Passive – dropping inbound packets from the analyser.
        • Allow reset packets – allowing packet injection, e.g. for an intrusion detection system to kill a TCP connection.
      • Advantages include: taps are independent of the switch infrastructure and work out of band.
      • Disadvantages include: the link needs to be broken to insert the tap and, for full duplex taps, the analyser needs to be able to accept two streams and merge them into a single trace file.
    • Hub – an inexpensive solution to copy all traffic to all other ports, including physical errors.
      • Hubs are effectively repeaters.
      • Beware that some hubs are really switches, labelled as hubs.
      • Dual-speed hubs are actually switched between the 10 and 100Mbps networks – so the analysis device will need to operate at the same speed as the devices being monitored otherwise only broadcasts will be detected from devices running at a different speed.
      • Advantages include: low cost, easy to install and readily availble; traffic can be sent to multiple monitoring ports.
      • Disadvantages include: only half duplex; not fault tolerant and require breaking the link for installation.
  • Wireshark analysis method (D.I.S.C.A.R.D.):
    • Download Wireshark (free).
    • Install – two components: the Wireshark application and the packet capture driver (for Windows that’s Winpcap).
    • Setup – select the interface (from the Capture menu) and click Prepare. Where present, a generic dialup adapter can be used to capture VPN packets prior to encryption. Ensure that promiscous mode is used to capture all frames seen by the interface (not just those addressed to the analyser). Set capture filters if required (but it may be better to filter post-capture). Tweak the display options to improve performance – turn off real-time packet listing and automatic scrolling.
    • Capture – click start to run a capture. In practice, the maximum capture rate using a built-in NIC before packets begin to drop will be around 230Mbps although cards are available for full duplex 1Gbps network captures (e.g. the Cace TurboCap).
    • Analyse – view frames using the display filter against the packet list, then view the packet detail and, if necessary, the packet bytes. Setting the time display format (on the View menu) as seconds since previous displayed packet will help to identify gaps. Even encrypted traffic will show the deltas. The filter input box turns green when a valid filter is applied – alternatively the Expression option provides a GUI to assist. Some filters are case-sensitive and beware when using booleans with multiple filters (i.e. use or not and to avoid attempting to filter on two protocols at the same time!). Follow TCP Stream can be useful to quickly create a filter based on an IP address pair and particular port numbers.
    • Resolve – after thorough analysis, resolve the issues.
    • Document the solution.
  • Pilot is a companion tool for Wireshark (chargable) and offers deep packet analysis.
  • Example captures are available at Packetlife.net