* Re: [gentoo-user] Sniffing / analysis of application / wifi packets on my LAN
2010-10-07 9:37 [gentoo-user] Sniffing / analysis of application / wifi packets on my LAN Stroller
@ 2010-10-07 11:28 ` Jake Moe
2010-10-07 17:30 ` Stroller
2010-10-07 12:05 ` [gentoo-user] " William Kenworthy
2010-10-07 13:31 ` Mick
2 siblings, 1 reply; 8+ messages in thread
From: Jake Moe @ 2010-10-07 11:28 UTC (permalink / raw
To: gentoo-user
On 10/07/10 19:37, Stroller wrote:
> Hi there,
>
> I'm interested in the activity of an application which is running on my LAN, and was wondering if anyone could offer some quick pointers on the best tools for this these days. I've played with this some years ago, but only very superficially - I think I used wireshark back then.
>
> Ideally what I want to do is capture a big dump of the traffic over a couple of minutes (so it shouldn't be that much, right?) into a file and then analyse it afterwards based on destination IP, content &c. A couple of minutes should allow completion of at least 2 or 3 separate interactions with the server.
>
> The network is mine, as is the device from which I'm capturing the data. I have a Belkin F5D7010 wifi card, which I think is based on a RaLink rt2x00 (rt2400 / rt2500) chipset, and I have my network's WPA key, so I think I can just set the wifi card in passive mode for sniffing. I'm pretty sure I experimented with this card in passive mode before, some years ago. Alternatively, I think I can plug the wifi access-point into my PC, bridge it to a second wired NIC and sniff what's going across the bridge (but I don't think this should be necessary).
>
> What I'm expecting to see is some image, audio & html files &/or xml data transferred, and ideally I'd like to be able to extract it all and view it in its original format.
>
> There's likely to be some inevitable other activity on the wLAN whilst this is happening - I'll try to minimise this, but I think the tools should be able filter out any crap I'm not interested in, right?
>
> I'd prefer as much as possible to use CLI tools for capturing / analysing the data.
>
> Thanks in advance for any quick pointers you can offer,
>
> Stroller.
>
>
As far as I'm aware, Wireshark is the standard for packet capture and
analysis. It supports both capture and display filters, so you can
limit it to just what you're interested in. If the client and server
are both on your LAN, then you should probably go ahead and capture
everything, and then use a display filter to limit it to just the hosts
you need. That way, if for some reason you find you need to see what
else is going on on the network at a given time, the captured data is
still there, you just broaden the display filter.
As far as CLI tools go, sorry, I'm not sure what's available. Never had
a need to look into those. But Wireshark uses libpcap, and digging a
bit shows tcpdump, which is a CLI tool that uses libpcap to capture
data, so it may give you the same functionality. I've never used it
though, so I can't help further.
Jake Moe
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] Sniffing / analysis of application / wifi packets on my LAN
2010-10-07 11:28 ` Jake Moe
@ 2010-10-07 17:30 ` Stroller
2010-10-08 3:02 ` Adam Carter
0 siblings, 1 reply; 8+ messages in thread
From: Stroller @ 2010-10-07 17:30 UTC (permalink / raw
To: gentoo-user
On 7 Oct 2010, at 12:28, Jake Moe wrote:
> ...
> As far as I'm aware, Wireshark is the standard for packet capture and
> analysis. ...
>
> As far as CLI tools go, sorry, I'm not sure what's available. Never had
> a need to look into those.
So Wireshark is a GUI tool?
I thought I'd used it in CLI mode (USE="-gtk"???), but it was a long time ago, so maybe I'm mistaken.
Many thanks also to William & Mick. Yes, I did mean "promiscuous mode", sorry. I'm sure I'll have more comments once I've had a chance to have a crack at it. I'm planning on using a laptop with a cardbus wifi card, and I realised it had last been used and updated 2 years ago, so I'm (still) in the middle of reinstalling at the moment.
Stroller.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] Sniffing / analysis of application / wifi packets on my LAN
2010-10-07 17:30 ` Stroller
@ 2010-10-08 3:02 ` Adam Carter
2010-10-08 17:38 ` [gentoo-user] " Francesco Talamona
0 siblings, 1 reply; 8+ messages in thread
From: Adam Carter @ 2010-10-08 3:02 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 694 bytes --]
>
> > As far as CLI tools go, sorry, I'm not sure what's available. Never had
> > a need to look into those.
>
tcpdump is the most common CLI tool. Handy if you want to capture to a file
on a unix based firewall or F5 etc so you can then view it in Wireshark on
your workstation.
> So Wireshark is a GUI tool?
>
Yes.
It has crypto decode for SSL if you have the private key, so it might also
be possible to have it decode WPA since you have the key - RTFM to find out
for sure. Depending on how the crypto works you may need to have captured
the beginning of the crypto setup to be able to decode, as that's where the
session key will be exchanged. Cant remember if WPA does that or not.
[-- Attachment #2: Type: text/html, Size: 1127 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* [gentoo-user] Re: Sniffing / analysis of application / wifi packets on my LAN
2010-10-08 3:02 ` Adam Carter
@ 2010-10-08 17:38 ` Francesco Talamona
2010-10-08 18:48 ` Stroller
0 siblings, 1 reply; 8+ messages in thread
From: Francesco Talamona @ 2010-10-08 17:38 UTC (permalink / raw
To: gentoo-user; +Cc: Adam Carter
On Friday 08 October 2010, Adam Carter wrote:
> > So Wireshark is a GUI tool?
>
> Yes.
But net-analyzer/wireshark installs a CLI tool too: tshark
Ciao
Francesco
--
Linux Version 2.6.35-gentoo-r9, Compiled #1 SMP PREEMPT Tue Sep 28
20:02:12 CEST 2010
Two 2.9GHz AMD Athlon 64 Processors, 4GB RAM, 11659 Bogomips Total
aemaeth
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] Sniffing / analysis of application / wifi packets on my LAN
2010-10-07 9:37 [gentoo-user] Sniffing / analysis of application / wifi packets on my LAN Stroller
2010-10-07 11:28 ` Jake Moe
@ 2010-10-07 12:05 ` William Kenworthy
2010-10-07 13:31 ` Mick
2 siblings, 0 replies; 8+ messages in thread
From: William Kenworthy @ 2010-10-07 12:05 UTC (permalink / raw
To: gentoo-user
Wireshark - always use the latest ~x86. Can capture and save with a lot
of options.
to just do a quick capture, try
"tcpdump -i eth- -w file.pcap" writes a pcap format file (can be read by
wireshark etc)
"tcpdump -r file.pcap" to see whats in it
"tcpdump -A - -r file.pcap" to extract text like html
If you already have wireshark, "tshark" can do similar operation to
tcpdump.
BillK
On Thu, 2010-10-07 at 10:37 +0100, Stroller wrote:
> Hi there,
>
> I'm interested in the activity of an application which is running on my LAN, and was wondering if anyone could offer some quick pointers on the best tools for this these days. I've played with this some years ago, but only very superficially - I think I used wireshark back then.
>
> Ideally what I want to do is capture a big dump of the traffic over a couple of minutes (so it shouldn't be that much, right?) into a file and then analyse it afterwards based on destination IP, content &c. A couple of minutes should allow completion of at least 2 or 3 separate interactions with the server.
>
> The network is mine, as is the device from which I'm capturing the data. I have a Belkin F5D7010 wifi card, which I think is based on a RaLink rt2x00 (rt2400 / rt2500) chipset, and I have my network's WPA key, so I think I can just set the wifi card in passive mode for sniffing. I'm pretty sure I experimented with this card in passive mode before, some years ago. Alternatively, I think I can plug the wifi access-point into my PC, bridge it to a second wired NIC and sniff what's going across the bridge (but I don't think this should be necessary).
>
> What I'm expecting to see is some image, audio & html files &/or xml data transferred, and ideally I'd like to be able to extract it all and view it in its original format.
>
> There's likely to be some inevitable other activity on the wLAN whilst this is happening - I'll try to minimise this, but I think the tools should be able filter out any crap I'm not interested in, right?
>
> I'd prefer as much as possible to use CLI tools for capturing / analysing the data.
>
> Thanks in advance for any quick pointers you can offer,
>
> Stroller.
>
>
--
William Kenworthy <billk@iinet.net.au>
Home in Perth!
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] Sniffing / analysis of application / wifi packets on my LAN
2010-10-07 9:37 [gentoo-user] Sniffing / analysis of application / wifi packets on my LAN Stroller
2010-10-07 11:28 ` Jake Moe
2010-10-07 12:05 ` [gentoo-user] " William Kenworthy
@ 2010-10-07 13:31 ` Mick
2 siblings, 0 replies; 8+ messages in thread
From: Mick @ 2010-10-07 13:31 UTC (permalink / raw
To: gentoo-user
On 7 October 2010 10:37, Stroller <stroller@stellar.eclipse.co.uk> wrote:
> Hi there,
>
> I'm interested in the activity of an application which is running on my LAN, and was wondering if anyone could offer some quick pointers on the best tools for this these days. I've played with this some years ago, but only very superficially - I think I used wireshark back then.
>
> Ideally what I want to do is capture a big dump of the traffic over a couple of minutes (so it shouldn't be that much, right?) into a file and then analyse it afterwards based on destination IP, content &c. A couple of minutes should allow completion of at least 2 or 3 separate interactions with the server.
>
> The network is mine, as is the device from which I'm capturing the data. I have a Belkin F5D7010 wifi card, which I think is based on a RaLink rt2x00 (rt2400 / rt2500) chipset, and I have my network's WPA key, so I think I can just set the wifi card in passive mode for sniffing. I'm pretty sure I experimented with this card in passive mode before, some years ago. Alternatively, I think I can plug the wifi access-point into my PC, bridge it to a second wired NIC and sniff what's going across the bridge (but I don't think this should be necessary).
>
> What I'm expecting to see is some image, audio & html files &/or xml data transferred, and ideally I'd like to be able to extract it all and view it in its original format.
>
> There's likely to be some inevitable other activity on the wLAN whilst this is happening - I'll try to minimise this, but I think the tools should be able filter out any crap I'm not interested in, right?
>
> I'd prefer as much as possible to use CLI tools for capturing / analysing the data.
By passive I assume you mean promiscuous?
Since you prefer CLI you can use tcpdump and tcpflow. tcpdump will
place your card in promiscuous mode - if you only want to see what's
addressed to your machine use the -p switch. To avoid truncating the
packets increase the size of the packets captured e.g. -s 65535 and
also add some detail -XX to see the payload. Altogether something
like this should work:
tcpdump -i wlan0 -e -l -U -vvv -s 65535 -w tcpdump_cap.txt -XX
(switch -w for -r to read what you've captured).
You can use the -T <protocol> option to only capture/read a particular
protocol. I rarely specify this.
tcpflow -i wlan0 -c -p -s -v
With tcpflow you can specify the protocol (e.g. proto arp) to capture
only particular packets as well.
Hope this helps.
--
Regards,
Mick
^ permalink raw reply [flat|nested] 8+ messages in thread