The Network Engineering Tool

The Network Engineering Tool (which I will now refer to as the netool) is the result if an Indiegogo campaign. I borrowed the unit I tested from the WLPC Lending Library. The netool is a portable, battery powered unit that when connected to an Ethernet port will provide you with information about that port, similar to a NetScout LinkSprinter (~$379), but at a much lower price point ($169). I did not really set out to make this a comparison against the LinkSprinter, but it somewhat turned out that way and I’m okay with that. It’s a natural comparison.

With the netool, you can connect it to an Ethernet port and it will provide you the following information via an app on your mobile device:

  • Connection up/down status
  • Speed of connection
  • DHCP Info
  • Public IP
  • VLAN (for tagged ports)
  • Detects LACP
  • STP Info
  • Can test QoS
  • Detect and authenticate using 802.1X
  • Switch information via CDP/LLDP
  • Verify reachability via ping for default gateway,, and configurable addresses

It’s a pretty nifty tool. Here’s some screenshots of the diagnostic screen.

The netool can also provide an AP allowing direct connection to the device. It also has an interesting Host Discovery mode that can detect information from a host device (as opposed to a switch), however, I was unable to discover the macOS box I was using. This is a new feature in the latest build and I didn’t try very hard to make it work. It’s promising, though.

I was initial unable to get any useful data from the unit because it was on a very old firmware. It’s supposed to be able to update online, but the build was so old that wasn’t working. I had to power the device off and on, connect it to the network, and go to to force a manual update. After this procedure, it worked well.

There are a few potential downsides to this device. First, it takes about 30s to start up. That’s just when you first turn it on, but you can continue to test multiple network drops without restarting it. If a network connection goes up or down, it takes several seconds to notice. This could be an annoying delay when troubleshooting. Being used to the LinkSprinter, both these delays are a minor, but real annoyance. The delay in detecting up/down changes is far more annoying than the delay in startup. Potentially the biggest downside vs the LinkSprinter, at least for the WLAN pro, is that it does not detect and report on PoE.

The ability to share results is limited to text based tools and there’s no database of results hosted in the cloud. It does have an on-board history, but that’s the only place it’s stored. Having some form of cloud based history is very convenient. Again, I have to draw a comparison here against the Link-Live service for the LinkSprinter. Link-Live allows multiple users and multiple units to be associated, allows photos and notes to be added, and can also send your results via email. It’s a much more enterprise-type solution. This is probably a bigger deal for larger shops than one-man operations, but it’s one of the things you get for the higher price point.

Lastly, the only way to get the information from the netool is through the app on your smartphone. The LinkSprinter has helpful LEDs to give you a quick thumbs up/down on a link, which can save you time. Again, how big a deal this is depends on your use case.


Despite the potential downsides I mentioned, this is still a slick device. It does do things the LinkSprinter cannot, such as provide STP info, detect LACP, and detect VLAN tags. LinkSprinter does a few things it cannot, like detect PoE. The netool has had many features added since it first was released and I presume they will continue to add new features. I think this could be a great addition for many an engineer’s toolkit, especially at it’s price point and given it’s potential for new features. If I can only carry one, I personally will continue to carry my LinkSprinter. It fits my needs better and I already own them. For a route/switch focussed engineer, I could see the netool being a better fit. Pick the tool that best fits your needs or just buy both to make sure your bases are covered. :)


Fixing macOS Sierra/OpenSSH 7.x Compatibility

aaa cliI’ve seen this question come up several times from users of macOS Sierra who use SSH after upgrading. It usually goes something like, “Has anyone seen this since upgrading to Sierra?”

Unable to negotiate with port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Another issue you might come across is your public key ceasing to work. If you connect with the verbose option (ssh -v hostname), you might catch a bit like this in the output:

Skipping ssh-dss key /Users/scottm/.ssh/id_dsa - not in PubkeyAcceptedKeyTypes

These aren’t a Sierra issue per-se, but is more specifically related to the upgrade from OpenSSH 6.9 in El Capitan to OpenSSH 7.2 in Sierra. OpenSSH deprecated a number of methods and algorithms in 7.0. They are still supported, but are disabled by default. For more information, check out OpenSSH: Legacy Options.

That’s all fine and dandy, but what you really want is a solution. You probably have some security appliance, router, or similar that doesn’t support any other methods and you just need it to work. Perhaps like me, you have an older private key that isn’t up to the new requirements, but you still need to use it. The options to fix these issues are KexAlgorithms +diffie-hellman-group1-sha1 and PubkeyAcceptedKeyTypes=+ssh-dss. You can add these at the command line (ssh -o PubkeyAcceptedKeyTypes=+ssh-dss hostname), but that’s kind of a pain.

A more convenient way to use them is to add these options to your ~/.ssh/config file. If you don’t already have this config file, it’s a plain text file you can create with your text editor of choice. At the top of the file, add:

# Settings for all hosts
KexAlgorithms +diffie-hellman-group1-sha1

Now your public key and the key exchange algorithm will work anywhere you connect. Perhaps you’d like a bit more granularity?

# Settings for all hosts

# Host specific settings
Host *
 KexAlgorithms +diffie-hellman-group1-sha1
 User username

This allows the public key for all hosts, but only allows the diffie-hellman-group1-sha1 algorithm to be used with hosts matching the wildcard. Additionally, this example shows using a different username than your login on your local machine. There are a lot of options available, but these are the ones I use most. You might also find Compression yes to be useful if you connect to hosts with low bandwidth links.

As an aside, if you are a macOS user using Terminal, I highly recommend checking out iTerm2. It’s far superior to Terminal and has many features to improve the experience of using the shell.


Fixing the Prolific Driver on OS X

Prolific USB to Serial Adapter

Prolific USB to Serial Adapter

There are a couple different USB to serial adapters that you might use as a network engineer. The one pictured in the article is manufactured by Prolific, but sold by multiple different vendors. There’s also another manufactured by FTDI, which I’ve heard good things about, and of course the one built into recent Cisco hardware. The driver for the chip used by Cisco is conveniently included in OS X, but the FTDI and Prolific chips require their own drivers. Myself, I have used the Prolific cables for years and have been generally happy with them.

The best drivers for the Prolific come directly from the manufacturer, not the vendors that resell them. This is because the vendor provided drivers always seem to be out of date. However, the drivers from Prolific don’t work with all cables out of the box. I’m going to show you how to fix that.

1. Get the Driver

If you haven’t already, hop over to the Prolific site to download the driver and install it. Here’s the URL at the time of this writing:

If you are running OS X Yosemite, you may need to read this article to get the driver working: OS X Yosemite and Prolific USB Drivers.

2. Discover Magic Numbers

OK, the numbers aren’t really magic, but the driver will need them so that it can be associated with your USB device. Head to Apple -> About This Mac and and choose System Report. Select USB and scroll until you find your Prolific USB device. It should look something like this:

Watch for the Manufacturer (circled in blue). Then note the Product ID and Vendor ID (circled in red). We will be adding these to the driver.

3. Hex to Decimal Conversion

Calculator in hex mode

Calculator in hex mode

We need to convert the hex numbers to decimal. An easy way to do that is to run Calculator and hit Command-3. Click the “16” above the clear button to switch to hex and enter the number you want to convert (like 0x2008 from the example). Now click the 10 and you have the hex to decimal conversion. If you used 0x2008, you should get 8200. You need to convert both the product and vendor IDs.

4. Edit the Driver

Fire up your favorite terminal emulator and head here:

cd /System/Library/Extensions/ProlificUsbSerial.kext/Contents

At this point, you will need to either fire off a root shell or sudo everything.[1]

Safety First! Backup your Info.plist so you can fix the driver if you break it.

Edit Info.plist with your editor of choice. Scroll down and you will find a section that looks like this:


What you want to do is copy and paste that section. I don’t think the <key> actually matters, but you can change it to match the hex version of the vendor and product ID. So if your vendor ID was 0x2478 for Tripplite with a product ID of 0x2008, you can change the key for your new section to:


Then you will want to put the decimal version of that you converted before into the idProduct and idVendor sections. So for the Tripplite example you only need to change the idVendor and it would look like this:


So the final product for my Tripplite version of the Prolific adapter works when I have this section added:


5. Kick the Driver

Now you need to unload and reload the driver to load the new settings:

$ kextunload /System/Library/Extensions/ProlificUsbSerial.kext
$ kextload /System/Library/Extensions/ProlificUsbSerial.kext

You should now have a working USB device! This is a bit of a hassle. I recently found another way to solve this problem, but it’s not free and it’s another blog post.


OS X Yosemite and Prolific USB Drivers

Prolific USB to Serial Adapter

[Note from November of 2015: This stopped working for me. I have not tried to make this work in El Capitan. I am now using the app Serial. It’s not cheap at $29.99 (£22.99), but it works. I’ve not had any problems with any USB serial adapter (including USB consoles of Cisco devices) since I started using it. Highly recommended!]

[Note from December 2015: You might try the driver from Aten. Go there, select Resources, then Software & Driver. It has been reported that this driver works on El Capitan.]

If you are an OS X user, you know that a new OS has come out. New OS upgrades are always shiny, but also come with some level of risk. I have an old MacBook that had been running the Yosemite beta, so I wasn’t too worried about upgrading my primary laptop when the Yosemite final was released. All was fine and dandy until I was onsite and couldn’t console into a router because my ATEN USB to serial adapter wasn’t working…

I’ve been using this particular model of adapter for a long time. They have had the occasional driver issue, but they’ve been good and reliable overall, so I was surprised when I tried to open the device it wasn’t present. This was odd, but I immediately realized it probably had to do with the OS upgrade. No problem, I’ll just reinstall the driver, problem solved!

Not so much. The device still wasn’t loading. At this point, I’m becoming concerned. I ran Console and saw this error when I plugged in my USB adapter:

10/30/14 14:32:09.553[19]: ERROR: invalid signature for
com.prolific.driver.PL2303, will not load

Well, that’s not good. After a bit of searching, I discover that it’s Windows Vista all over again. Well, it’s not actually that bad, but it did remind me of a behavior change in Vista that required all drivers to be signed with a trusted signature. Apparently, Mavericks has been helpfully logging warnings about this, but since nothing had stopped working, I guess no one did anything to fix it. Now with Yosemite, all kernel extensions must be signed or they won’t load. No problem, I’ll just install the updated driver!

Not so much. The device driver is the same as the one I already have. Fortunately, I’d already found the workaround. With Windows Vista, you could hit F8 at boot and boot in a dev mode that allowed any driver to load. You had to do that every time you booted. Fortunately, with Mac you only need to run this command once and reboot, after which it’s set:

sudo nvram boot-args="kext-dev-mode=1"

After rebooting, I found that I had to manually load the kext the first time, but it seems to have been auto-loading ever since. To manually load the kext:

sudo kextload /System/Library/Extensions/ProlificUsbSerial.kext

If you check your logs, you’ll see its back to a warning when the kext is loaded:

11/12/14 19:12:41.747[19]: kext-dev-mode allowing invalid
signature -67062 0xFFFFFFFFFFFEFA0A for kext

More importantly, you’ll have your device working and can finally fix that router you’re supposed to be fixing…


NetScanTools Pro

We all like tools (sometimes read “toys”). Especially nifty ones. One of the tools I’ve used for years is NetScanTools Pro from NorthWest Performance Software. Kirk Thomas is the founder of the company and you can find him on twitter as @NetScanTools. I’ve talked to him many times on Twitter and he is extremely helpful and very open to input from his customers.

NetScanTools Pro

I was first introduced to NetScanTools Pro by Laura Chappell of Chappell University, where she teaches about protocol analysis and Wireshark. It’s something of a network discovery tool and then some. It has a collection of active and passive discovery tools, various DNS tools, and some packet level tools. The value in most of this is that all the tools are in one place and it has automation to grab lots of information very quickly, though there are a few unique tools. The only downside to this tool is that it’s only on Windows.

Discovery Tools

You can find out a lot about a network by digging through it’s DNS entries, scanning hosts, doing whois lookups, etc. That generally takes time. NST can really speed this up with several automated reports. In just a few minutes it can give you a report for a domain that includes whois records, DNS details, MX records, blacklists, traceroute with geolocation, port scans, and more.

NetScanTools Scanning

NetScanTools running a scan. You can see most of the options here.

This can save a lot of time in discovering information about a network. You don’t have to do everything as an automated scan. You can also run the tools individually.

There are also a number of tools that give you information about the computer and local network that NST is running upon. If it has something to do with the network, NST has a tool to tell you about it.

Testing Tools

NST also includes what I would call testing tools. SMTP testing, which is nice because you can set just about any set of options. You can test authentication, specific encryption settings, whether messages relay, and much more. It’s all the power of directly connecting to port 25 with telnet, but with checkboxes. You can perform SNMP walks and scans, including SNMPv3 support. A TCP terminal, which essentially allows you to telnet to any port, but with the added ability to choose the source port, is also included. Also, a TimeSync tool which is useful for checking NTP servers. How about this set of options for the enhanced ping tool:

More ping options than you know what to do with.

More ping options than you know what to do with.

Packet Tools

There are nice little collection of packet tools that let you generate arbitrary packets, send Wake on LAN packets, capture packets, and playback a capture. The capture app isn’t Wireshark, but it’s convenient and you can always save the capture and open it in Wireshark.

The options for the NetScanTools Pro packet generator

The options for the NetScanTools Pro packet generator

SSL Certificate Scanner

I like this one. Give it a list or range of IPs, and it’ll tell you about the SSL certs. This could be useful to scan a network and check for soon to be expired certificates, for example.

Yep, my SSL cert is still valid

Yep, my SSL cert is still valid

Graphical Traceroute

If you like mtr, you should also like the new Graphical Traceroute tool. Since a picture is worth 1000 words and since it is Graphical Traceroute, I think the best way to describe this tool is with a screenshot.

The new Graphical Traceroute tool is nifty.

The new Graphical Traceroute tool is nifty.

Closing Thoughts

I’ve had this toolset for years. It’s not one I use ever day, but it’s nice to have when I need it. It just has so many tools bundled into one place and most of them support IPv6. It has a free 30 day demo, so give it a shot and explore this toolset.


I use this software and have paid for this software, however, I did receive a nice discount on my last maintenance renewal when I planned to write a blog post about the software.


Making a Bootable ESXi USB Drive

The Quick and The Not So Quick

Today, I set out to do what I thought would be a simple and relatively quick task.

VMware USB

VMware USB Drive

As an aside, have you ever noticed that the “quick and easy” tasks seem to take the most time?

Anyway, I have an old Dell workstation with dual Intel Xeon E5520’s and 36GB of RAM that runs VMware. I use for testing and labbing. It’s currently running VMware 5.1 and my evaluation has expired. For a long time… It’s always bugging me about that and I can’t switch it to the free ESXi because it has more than 32GB of RAM. That limitation was removed with VMware 5.5, so I’m finally getting around to upgrading this machine.

I really wanted to install off USB and skip the optical drive, so I grabbed a 1GB USB drive that VMware gave me years ago (conveniently already labelled “VMware”) and copied the files from the ISO to it.

Yeah, not good enough. So I formatted the USB and tried to write an MBR to it. On my Mac. Running Mavericks (OSX 10.9).

Did you know that Mavericks appears to have removed the MBR? This is the error I received from fdisk:

$ fdisk -e /dev/disk3
fdisk: could not open MBR file /usr/standalone/i386/boot0: No such file or directory
Enter 'help' for information

Well, that’s inconvenient.  The I went on to try UNetbootin, which normally has been reliable, but not this time. Still no booting.

Rebooting this machine repeatedly to see if this USB boot is starting to get annoying.

Enter Rufus

While Googling for what I was missing, I found Rufus. Rufus worked great the first time and I was able to do my upgrade and move on. The only drawback is it’s for Windows, but I ran it in a Windows VM and it was fine. Rufus is a single .exe file and when you run it you get this screen:


Listen to this dude Rufus, he knows what he’s talking about.

Click the little disc icon near “Create a bootable disk using”, choose your VMware ISO image, and you’re off and running.

You might get a prompt regarding your “menu.c32” being out of date. Let it update it and then it will create your bootable USB.

Next time, I’ll start with Rufus!


Solarwinds, HTTPS, and FQDN

When you first configure a Solarwinds Orion-based server the default website it configures is on port 80 only. You might want to go into IIS and add server bindings for port 443. I prefer to ensure all traffic is encrypted and disable remote access to port 80, but that is subject to your local policy. Don’t disable port 80 completely because sometimes you need to access it from the server console.

Adding HTTPS Support

To add HTTPS support, open IIS Manager on your Solarwinds host, right click on the SolarWinds site and select Edit Bindings.

Edit Bindings

To add HTTPS support, right click on the SolarWinds site in IIS Manager and select Edit Bindings…

Now click the Add… button. Change the type dropdown to https, make sure your port changes to 443, and select the appropriate SSL certificate for your server. I usually use the certificate that the machine already has from Active Directory, but your needs may vary. SSL certificate details are outside the scope of this article. :)

Adding an https binding

Choose add, select https from the type dropdown, and select the approriate SSL certificate.

Click OK and you should now have https available.

I Like FQDN, I Cannot Lie

Something that bugs me about Solarwinds is that out of the box it only uses the hostname for the URL. This isn’t the hostname configured in IIS (which normally doesn’t matter, since most Solarwinds installations won’t be using virtual hosts) but it is the hostname used internally for notifications. If you add the URL to a notification, it’ll only include the hostname. Something like this:

From: [email protected]
To: [email protected]
Subject: rebooted at 3/18/2014 6:43 AM

Lastboot: Tuesday, March 18, 2014 6:38 AM
Device:   Catalyst 37xx Stack
IOS:      15.0(1)SE3, RELEASE SOFTWARE (fc1)
Image:  C3750E-UNIVERSALK9-MAcknowledge: http://solarwinds:80/Orion/Netperfmon/AckAlert.aspx

Note the URL at the end there with “solarwinds” as the hostname. Now, that might be acceptable if you are in your office. However, that can cause problems for VPN users and for people who it just plain bugs when they don’t see an FQDN. Fortunately, we can correct this URL problem pretty easily. This is also important if you want to use https, because it allows you to change the URL used in notifications to a secure one.

Change to FQDN

WARNING! Beware that you are editing the database live. You should know what you are doing here and be careful. If you break stuff, it’s not my fault. You have been warned.

To change this behavior you need to launch Database Manager and switch to the Websites table. To edit the fields, you’ll need to click Enable table editing. Now you can change the ServerName field to the FQDN. You also need to set the Port to “443” and SSLEnabled to “1” if you want the system to create proper https URLs. Here’s what mine looks like:

Solarwinds Database Manager

My opinion of a properly configured Solarwinds installation.


Enjoy your secure FQDN URLs in your notifications!