Saturday, May 9, 2015

Windows 8 and The New UEFI BIOS

How To Access The BIOS On A Windows 8 Computer


Among the many changes coming with Windows 8 and new computers designed for it is a change in the way we access our computers’ BIOS. No longer do we press a certain key during the boot process to reveal the BIOS – instead, an option to access the BIOS is located in Windows 8’s boot options menu.

Traditionally, computers displayed a message like “Press F2 to enter setup” at the beginning of the boot process. Pressing this key entered the computer’s BIOS. However, Windows 8 hardware uses the UEFI replacement for the traditional BIOS, like Macs do. Some solid-state drive-equipped Windows 8 PCs boot so fast that you’d only have a 200 millisecond (that’s 0.2 seconds) window of opportunity to press the key combination.


Windows 8 Hardware vs. Old Computers With Windows 8

Note that this new method only applies if you purchased a new computer with Windows 8 preinstalled – these will use UEFI. However, if you’ve installed Windows 8 on an existing computer that uses the legacy BIOS system, you’ll access the BIOS in the same way as always by pressing the key that appears during your boot process.

This key is often F2 or Delete, but it can also be other keys. The exact key depends on your computer – if you don’t see the appropriate key displayed on your screen during the boot-up process, consult your computer’s manual.



Accessing Boot Options

There are several ways to access Windows 8’s boot options menu. The easiest one to find is in the PC Settings application – press WinKey+C to reveal the Charms bar, click Settings, and select Change PC settings to access it.


In the PC Settings application, select the General category and click the Restart now button under Advanced startup. Your computer will restart and you’ll enter the Windows 8s boot options menu, where you can access the UEFI BIOS and change other settings.


In more updated versions of windows 8 (like 8.1), the Advanced startup has moved:

Windows Key+C > Settings > Change PC settings > Update and recovery > Recovery > Advanced startup + Restart now

You can also hold Shift while clicking Restart in the Shut Down menu to restart your computer into the boot options menu. This is a quick way to restart into the boot options menu, as you can access the Shut Down button from the Charms anywhere on your system.


Command-line geeks will be happy to know they can run a special shutdown.exe command in a Command Prompt window to restart their computer directly into the boot options menu:

Shutdown.exe /r /o



Accessing UEFI BIOS

The boot options menu has been designed to integrate some commonly used options that people went into the BIOS for. For example, if you want to boot your computer off a USB drive, DVD or CD, or another device, you can click the Use a device tile in the boot options menu and select the device you want to boot from.

If you’re just here to access your computer’s UEFI BIOS, click the Troubleshoot tile.


This will reveal an Advanced Options screen with a variety of tools – the UEFI Firmware Settings tile will take you to your computer’s BIOS. (On UEFI, which stands for “Unified Extensible Firmware Interface”, the firmware settings menu is equivalent to a traditional PC’s BIOS.)


If you don’t see the UEFI Firmware Settings tile here, your computer doesn’t use UEFI. You’ll need to access the BIOS in the traditional way, by pressing a specific key during the boot-up process. See the first section above for more information.

If there’s an error booting Windows, you won’t be locked out of the BIOS — the boot options screen will appear when you start your computer. From here, you can repair Windows or enter your BIOS.


Why the Change?

While this may be slightly inconvenient, as there’s no way to access the BIOS in normal use without booting into Windows first, it’s surely necessary. Microsoft’s blog post about this on the Building Windows 8 blog describes how this new system came to be. With the increased boot speed, some systems had a less than 200 millisecond window of opportunity to press a key. Even the best key-tappers at Microsoft could only press a key once every 250ms — to access the BIOS, frantic tapping, luck, and several compuer reboots were all necessary.

This also brings some much-needed consistency to Windows 8 computers — they’ll all have a consistent way of accessing the BIOS. Currently, different computers use different keys at start-up.

While Windows 8 may have some questionable design decisions that some people will dislike, this shouldn’t be one of them. The new method of accessing the BIOS is necessary and well-implemented.

Taken From: (By Chris Hoffman)

Tuesday, May 5, 2015

Cisco / Linux - Decapsulating Cisco ERSPAN With Linux

Decapsulation ERSPAN Traffic With Open Source Tools

Posted on May 3, 2015 by Radovan Brezula

Cisco Encapsulated Remote SPAN (ERSPAN) feature allows to monitor traffic on one or more ports and send the monitored traffic to one or more destination ports.  Traffic is encapsulated into GRE tunnel and routed via network to ERSPAN destination. Any device that supports ERSPAN can be used as ERSPAN destination. It might be another Cisco device or Linux with installed software that can decapsulate GRE traffic.

The goal of this article is to show methods and tools for decapsulation of  ERSPAN traffic. For this purpose I have built simple lab that consists of a Cisco CSR 1000v router and two Linux boxes. Core Linux represents a network host and generates network traffic (ICMP) that is going to be monitored. It is connected to the port GigabitEthernet1 of the Cisco router. The router is configured to monitor traffic on the port Gi1 and it sends traffic encapsulated in GRE tunneling protocol to IP address It is the IP address of the ERSPAN destination configured on Linux  Security Union. Security Onion is a unique Linux distro for intrusion detection, network security monitoring, and log management based on Ubuntu however any other Linux distro can be used.


Picture 1 - ERSPAN Lab Topology

Below is an example of ERSPAN configuration on the CSR 1000v router. This is the source ERSPAN type and with configured rspan_id 1. The interface Gi1 is being monitored and the GRE traffic is sent to ERSPAN destination address IP

CSR1000v# show running-config | b monitor
monitor session 1 type erspan-source
description ERSPAN to
source interface Gi1
erspan-id 1
mtu 1464
ip address
origin ip address

Capturing ERSPAN Traffic with Wireshark

We are going to capture and analyze ERSPAN traffic with Wireshark packet sniffer. First configure IP address on interface eth1 of the Linux Security Onion.

janosik@onion:~$ sudo su
root@onion# ip address add dev eth1

Now use Wireshark to capture GRE traffic on Security Onion on its interface eth1 and ping the router IP address from the Linux Core host (IP If the source ERSPAN is properly configured on router, packets from the subnet should appear in Wireshark output.

A closer look at the picture below reveals that the original packet ICMP packet (MAC header, IPv4 header and ICMP header) is now encapsulated as following.

MAC header + IPv4 header (, + GRE header (Protocol type ERSPAN) + ERPAN header + (original packet)


Picture 2 - Encapsulated GRE Traffic Captured on Interface Eth1

An original ICMP packet is encapsulated into GRE tunnel and the new outer MAC and IPv4 + GRE + ERSPAN headers are added to original packets. It allows encapsulated traffic to be forwarded through network to ERSPAN destination. However if we want software application such as IPS/IDS to analyze encapsulated packets, the outer L2 and L3 headers must be striped from packet. This can be done with tools such as RCDCAP  which dissects packets from GRE tunnel.


Configuring GRE tunnel on ERSPAN Destination Device

If for some reason we do not want to install special software that dissects packets from GRE tunnel we can configure GRE tunnel on ERSPAN destination (Linux Security Onion) and let IDS to listen on a tunneled interface. Thanks to this configuration the outer MAC and IPv4 headers are stripped and do no appear in Wireshark output.

a) Load gre module to kernel

janosik@onion:~$ sudo su
root@onion# modprobe ip_gre

b) Choose receiving interface and assign IPv4 to it

root@onion# ip addr add dev eth1

Set the MTU of the network interface that receives GRE packets larger than 1500 e.g. to 1900.  Otherwise we are going to miss some bytes in larger packets.

root@onion# ip link set dev eth1 mtu 1900

c) Create virtual tunnel interface and associate it with IP previously configured on eth1 interface

root@onion# ip tunnel add mon0 mode gre local ttl 8

d) Add IP address to interface mon0 which is not used for anything

root@onion# ip addr add dev mon0

e) Change the state of mon0 device to up

root@onion# ip link set mon0 up

Again, generate some traffic in the subnet and configure Wireshark to listen on interface mon0. Notice that the outer MAC and Ipv4 header are now stripped from the ICMP packet.


Picture 3 - Decapsulated Traffic Captured on Interface Eth1

Using RCDCAP for Decapsulating ERSPAN Traffic

RCDCAP is wrapper program that dissects the traffic and creates a virtual interface where the traffic is already decapsulated. I've compiled it from the source and created the Ubuntu package RCDCap-0.7.99-Linux for Ubuntu 15.04. Be aware that additional packages are needed to get it working.

janosik@onion:~$ sudo su
root@onion# apt-get install libboost-regex1.55.0

Use apt-get to install the packages below. If they are not available in a repository  download them from here and install manually with dpkg -i command.

  • libboost-program-options1.48.0_1.48.0-3_amd64.deb
  • libboost-thread1.48.0_1.48.0-3_amd64.deb
  • libboost-system1.48.0_1.48.0-3_amd64.deb

root@onion# dpkg -i libboost-program-options1.48.0_1.48.0-3_amd64.deb libboost-thread1.48.0_1.48.0-3_amd64.deb libboost-system1.48.0_1.48.0-3_amd64.deb

Now we can install RCDCAP with the command.

root@onion# dpkg -i RCDCap-0.7.99-Linux.deb

Once RCDCAP is installed configure interface eth1 to prepare for capturing.

janosik@onion:~$ sudo su
root@onion# ip addr add dev eth1
root@onion# ip link set dev eth1 mtu 1900
root@onion# ip link set dev eth1 up

Start RCDCAP with the command below and let Wireshark to listen on interface mon1.

root@onion# rcdcap -i eth1 --erspan --tap-persist --tap-device mon1 --expression "host"

We can see that RCDCAP have dissected monitored traffic from GRE and only original MAC + IPv4 + ICMP headers and pyaload are presented in Wireshark output.


Picture 4 - Decapsulated Traffic Captured on Interface Mon1


Taken From: