Today I needed to check what devices are being pinged so I ran snoop icmp on the Solaris box in question and downloaded the snoop file to my pc for analysis with Etereal.
The following command extracts only the ping replies.
tethereal.exe -r "23oct2005.snoop" -t d -R "icmp.type == 0"
I needed to limit it to ICMP type zero as there were also ICMP type 3 "Destination Unreachable" ICMP packets mixed in from failed SNMP queries.
If you sample say CPU usage at a regular interval you may get a situation where you are in phase with a process that uses CPU at the same interval and thus interpret high instantaneous CPU as constant high CPU usage.
I wondered whether anyone had researched about adding in some randomnesss into the sampling to avoid this and found this article on Stochastic Sampling in Anti-Aliasing. It appears that evolution has already built this in and our randomness in the photoreceptors in our eyes aviods aliasing. Amazing...
Some useful steps when dealing with a disk space problem:
1) What has been modified in the last day
find /opt -mtime -1
2) Find the size of a folder in human readable disk sizes:
du -h /tmp
I remember looking long ago at how WMFs are made up and was amazed at the time to find that it was just a log of the GDI calls that were made which were played back in order. I might even have fixed a bug in one of the Japanese version of Lotus Freelance products in the 1990s since I was responsible for bugfixing file import and export filters and remember poking around the Metafile import code to see how it worked. Steve Gibson makes an interesting claim today regarding the Microsoft statement on the recent WMF exploit found:
This, too, is subtle misdirection. He's talking about an
"additional step" that was LATER TAKEN OUT of Windows metafile
processing, since Windows 9x/ME/NT came *before* the later
"vulnerable" systems. And, even so, remember that what was done
later with "SetAbortProc" is not really "SetAbortProc" at all
.... but rather "RunThisCodeNow!"
Hear Steve Gibson explain why he thinks the WMF expolit was a deliberate backdoor in Windows.
Later politely debunked by Mark (Sony Rootkit) Russinovich