I love tcpdump. When working in Windows (when I absolutely have to) I’ve been known to use Wireshark, but since I’m in Linux all day, working remotely over ssh, I’ve become close friends with tcpdump. My favorite thing about tcpdump is that I can view the entirety of a packet in HEX/ASCII. Below is an HTTP GET request for bamed.org from tcpdump using -XX which prints the full packet, including link layer headers, in both HEX and ASCII:
The following is a diagram of the IP and TCP headers in a TCP packet:

We will be using the above diagram to break apart a real packet dumped from tcpdump in HEX & ASCII. You can view a packet in HEX & ASCII with tcpdump with the -X flag, -XX to view the full packet including the link layer headers. The following is an HTTP GET request in HEX & ASCII:

 # tcpdump -nn -XX -s 0 -i eth1 host 50.23.47.206 and port 80
 07:52:44.995738 IP 50.23.47.206.48300 > 184.173.196.234.80: P 1:113(112) ack 1 win 46 
 0x0000: a4ba db54 44f7 0008 e3ff fd90 0800 4500 ...TD.........E.
 0x0010: 00a4 6879 4000 3a06 f85d 3217 2fce b8ad ..hy@.:..]2./...
 0x0020: c4ea bcac 0050 ae2e 354f 3859 9344 8018 .....P..5O8Y.D..
 0x0030: 002e 1c3d 0000 0101 080a 0815 5d41 239e ...=........]A#.
 0x0040: 8fc4 4745 5420 2f20 4854 5450 2f31 2e31 ..GET./.HTTP/1.1
 0x0050: 0d0a 5445 3a20 6465 666c 6174 652c 677a ..TE:.deflate,gz
 0x0060: 6970 3b71 3d30 2e33 0d0a 436f 6e6e 6563 ip;q=0.3..Connec
 0x0070: 7469 6f6e 3a20 5445 2c20 636c 6f73 650d tion:.TE,.close.
 0x0080: 0a48 6f73 743a 2062 616d 6564 2e6f 7267 .Host:.bamed.org
 0x0090: 0d0a 5573 6572 2d41 6765 6e74 3a20 6c77 ..User-Agent:.lw
 0x00a0: 702d 7265 7175 6573 742f 322e 3037 0d0a p-request/2.07..
 0x00b0: 0d0a

Each 2 HEX characters represents one byte of data, and remember there are 8 bits in a byte. So, the first section “a4b4″ represents 2 bytes or 16 bits. The diagram shows us the packet headers broken up into bits, so keep that in mind as we go through the entire packet.
Though our diagram above does not show it, the first 14 bytes of the above packet are the link layer header, Ethernet header in this example. These are “a4ba db54 44f7 0008 e3ff fd90 0800″. The first 6 bytes are the destination MAC address, the next 6 bytes are the source MAC address, and the last 2 bytes give us the EtherType.

Server’s MAC Address (Destination): A4:Ba:DB:54:44:F7
Default Gateway’s MAC Address (Source): 00:08:e3:ff:fd:90
EtherType : 0800 (Ipv4)
Other Common EtherTypes
0×0806 – ARP
0x96DD – IPv6

The next 20 bytes make up the IP header, “4500 00a4 6879 4000 3a06 f85d 3217 2fce b8ad c4ea”. The first 2 bytes, or 16 bits, represent the IP Version, Internet Header Length (IHL), and DSCP information. DSCP + ECN is not relevant to what we do, but for more information you can go tohttp://en.wikipedia.org/wiki/DSCP. The IHL is a number that represents the number of 32-bit words in the IP header. So an IHL of 5 means there are 5 32-bit words, or that the header is 20 bytes long. In hex this is 4500 and in Binary, 0100010100000000

Version: First 4 bits (0100) = 4 (Ipv4)
IHL (Internet Header Length): Next 4 bits (0101) = 5 32-bit words
Was TOS, Now DSCP (6 bits) + ECN (2 bits): Next 8 bits (00000000) – nothing set

The next 16 bits, or 2 bytes, give us the Total Length of the packet. This is the total length without the link layer headers, so its the IP header + TCP header + Data. In the above packet this is 00a4 in hex, which converts to 164 bytes. If you count the bytes in the above packet, excluding the Ethernet header, you will find that it is 164 bytes long.

The next 16 bits give us an Identification, followed by 16 bits more that set the fragmentation flags and fragmentation offset. The identification (6879 above) is a unique number randomly generated and used along with the fragmentation flags and offset in order to put fragmented packets back together. The fragmentation flags and offset (4000 above) are broken up into 3 bits for the flags and 13 bits for the offset.

Identification (Next 16 bits) = 6879 = Decimal 26745 – Packet ID, used to identify fragments
Flags & Fragmentation Offset ( Next 16 bits) = 4000 = Binary 010 0000000000000
Flags (first 3 bits) 010 (Reserved, Don’t Fragment, More Fragments)
Fragmentation offset (13 bits) – 0′s (it’s not fragmented)
The next 16 bits (3a06) give us the TTL and the Protocol:
TTL:Protocol(next 16 bits) = 3a06 – Binary 00111010 00000110
TTL: First 8 bits – 00111010 = 58
Protocol : Next 8 bit – 00000110 = 6 = TCP

Then we have the checksum, f85d. This is a checksum for the IP header only. It is used to verify the integrity of the IP header. Then the next 32 bits give us the source IP address, and the 32 bits after that the destination IP address:

Source IP (next 32 bits): Decimal 50.23.47.206 = Hex 3217 2fce
Destination IP (next 32 bits): Decimal 184.173.196.234 = Hex b8ad c4ea

If there were any IP options they would then follow; however, we do not have any options in the packet and you would rarely see any on our farm.

This brings us to the TCP header. We were able to determine the length of the IP header based on the IHL. This lets us know where the TCP header begins. In this instance the TCP header is “bcac 0050 ae2e 354f 3859 9344 8018 002e 1c3d 0000 0101 080a 0815 5d41 239e 8fc4″.

The TCP header begins with 16 bits for the source port and 16 bits for the destination port:
Source Port (Next 16 bits) = Hex bcac = Decimal 48300
Destination Port (Next 16 bits) = Hex 0050 = Decimal 80

This is followed by a 32 bit Sequence number and a 32 bit Acknowledgement number. The Sequence and Acknowledgement numbers are used to keep track of data as it is sent back and forth between client and server. The initial SYN packet includes a randomly generated Sequence number. The SYN+ACK that acknowledges this SYN packet uses the Sequence number from the SYN packet as the Acknowledgment number in the SYN+ACK packet. Also, the server will randomly generate a Sequence number to use in the SYN+ACK packet that the client will then use as its Acknowledgement number in the ACK packet it send back. Basically, these two numbers swap between client and server, and at the completion of each transmission and subsequent acknowledgement these number increment.

Seq Number (Next 32 bits) = Hex ae2e 354f
Ack Number ( Next 32 bits) = Hex 3859 9344
The Seq and Ack are used to keep track of packets
Ack # is the expected Seq # in next Ack packet incremented by 1 as it goes

The next 16 bits include both the Data Offset as well as the TCP flags. In the above example these 16 bits are 8018 in HEX or 1000000000011000 in Binary. The first 4 bits represent the Data Offset, binary 1000 or Decimal 8. This represents the number of 32-bit words from the beginning of the TCP packet to the Data. Essentially it is the length of the TCP header. So with a Data offset of 8, the TCP packet is 8 32-bit words long or 32 bytes long.
After the 4-bit data offset there are 3 Reserved bits, always 0, and then the TCP flags.
The TCP flags are each individual Binary flags used for various functions of TCP. Most of these we have already discussed. These 9 bits are in the order (NS|CWR|ECE|URG|ACK|PSH|RST|SYN|FIN). You can easily see how this works if we take the data in binary, 000011000 and place it in a table:

NS CWR ECE URG ACK PSH RST SYN FIN
 0   0   0   0   1   1   0   0   0

This shows us that the above packet has both the ACK and the PSH TCP flags set. Below is a brief explanation of these flags:
NS (1 bit) – ECN-nonce concealment protection
CWR (1 bit) – Congestion Window Reduced (CWR)
ECE (1 bit) – ECN-Echo indicates
URG (1 bit) – Urgent pointer field is significant
ACK (1 bit) – Acknowledgment field is significant. All packets after the initial SYN packet sent by the client should have this flag set.
PSH (1 bit) – Push function. Asks to push the buffered data to the receiving application.
RST (1 bit) – Reset the connection
SYN (1 bit) – Synchronize sequence numbers
FIN (1 bit) – No more data from sender

The next 16 bits are the Window scale option (002e). From wikipedia: “The window scale option is used only during the TCP 3-way handshake. The window scale value represents the number of bits to left-shift the 16-bit window size field. The window scale value can be set from 0 (no shift) to 14 for each direction independently. Both sides must send the option in their SYN segments to enable window scaling in either direction.”
Next there’s another 16 bit checksum (1c3d). This is a checksum for the TCP header. Then we have the 16-bit Urgent pointer (0000). If the URG TCP flag was set this data would be read. The Urgent pointer isn’t typically used in modern protocols.
Finally, we have our TCP options:

Options = the rest
0101 080a 0815 5d41 239e 8fc4
Option kind (1byte)
Option size (1byte)
Option data (variable)
01 = Noop (filler)
08 = TCP timestamp and echo of previous timestamp
080a 0815 5d41 239e 8fc4
8,10(0x0a),TTTT,EEEE (80 bits)

Now we get to the data. In this instance it's an HTTP GET request. Let's look at the data in HEX and ASCII:
 4745 5420 2f20 4854 5450 2f31 2e31 GET./.HTTP/1.1
 0d0a 5445 3a20 6465 666c 6174 652c 677a ..TE:.deflate,gz
 6970 3b71 3d30 2e33 0d0a 436f 6e6e 6563 ip;q=0.3..Connec
 7469 6f6e 3a20 5445 2c20 636c 6f73 650d tion:.TE,.close.
 0a48 6f73 743a 2062 616d 6564 2e6f 7267 .Host:.bamed.org
 0d0a 5573 6572 2d41 6765 6e74 3a20 6c77 ..User-Agent:.lw
 702d 7265 7175 6573 742f 322e 3037 0d0a p-request/2.07..
 0d0a

The HEX value 0d0a is a newline character in ASCII, so if we take the ASCII above and replace every HEX instance of 0d0a with a newline we get a normal HTTP GET request:

 GET / HTTP/1.1.
 TE: deflate,gzip;q=0.3.
 Connection: TE, close.
 Host: bamed.org.
 User-Agent: lwp-request/2.07.

And this gets us to the end of the packet.

Well, unlike many users I run across, I had a backup.  it was about a week old, but I only lost one blog post, so not really a huge deal.

So, as any IT guy will tell you, BACKUP! BACKUP! BACKUP!

FYI, Cpanel makes this pretty easy and HostGator has an easy to follow tutorial at http://support.hostgator.com/articles/cpanel/how-to-generatedownload-a-full-backup.  Restoring is actually pretty simple too.  If you have root on the server it’s real easy (I don’t from home), but if you are a HostGator customer and you have a full backup all you need to do is upload it to your account and fill out the form at https://secure.hostgator.com/restore.php and be sure to specify the location of the backup that you generated and a friendly HostGator admin (maybe even me) will restore the backup for you at no charge.

If you don’t have root, and you only need to restore a few files, or a database or two, you can also do it manually.  The CPanel generated backup is just a zipped up tarball that includes all of your account information in a few directories, a tarball of your home directory, and some SQL dumps of your MySQL databases.  So, I untarred my backup from SSH on the suer as my user:

~: tar -xvzf ????backup-4.5.2011_18-38-58_bamed.tar.gz

?This puts the content of the backup in ~/backup-4.5.2011_18-38-58_bamed.  Then all of my home directory is in a tarball named homdir.tar, so I untar it with:

~: tar -xvf backup-4.5.2011_18-38-58_bamed/homedir.tar

I ran this from my home directory, so the contents of homedir.tar extract directly into my home directory all the files going into the right places.  Once that was done, then I re-created my WordPress database in MySQL by following the instructions at http://www.hostgator.com/tutorials/cpanel/hgx3/creating-a-mysql-database.htm.  Not that I needed to actually follow the tutorial, I just low HG video tutorials.  Save me a lot of time trying to explain step-by-step instructions.  Anyway, I created the same DB name, unsername, and password that I had used before accidentally deleting everything.  If you don’t have this information saved, after you restore your homedir you can pull it from your wp-config.php file.

Anyway, after recreating the DB, I was able to restore it from the backup in ~/backup-4.5.2011_18-38-58_bamed/mysql.  The actual name of the backup file is the same as the name of the database you are restoring.  Just go to PHPMyAdmin from Cpanel and restore the database using the instructions at http://support.hostgator.com/articles/cpanel/how-to-import-your-mysql-database.  (Again, love those HG tutorials)

Then my site was back exactly as it had been on 4-5-2011 at 18:38:58(CDT).  Pretty exciting ehh?

So, that’s a quick rundown of doing a manual restore.  If I actually needed to restore some domain names, or email addresses, or anything else it would be a little more complicated, but I was only worried about a few files and one database so it was pretty easy and only took a few minutes.  I could have let my peers at HG do it, but why waste their time when I can do it myself.  Let them spend their time helping our customers.

Anyway, hopefully I’ll get back and blog some more stuff later.