From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1P3qZL-0007TD-PE for garchives@archives.gentoo.org; Thu, 07 Oct 2010 13:31:38 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B15D0E0808; Thu, 7 Oct 2010 13:31:01 +0000 (UTC) Received: from mail-qy0-f181.google.com (mail-qy0-f181.google.com [209.85.216.181]) by pigeon.gentoo.org (Postfix) with ESMTP id 93A88E0808 for ; Thu, 7 Oct 2010 13:31:01 +0000 (UTC) Received: by qyk10 with SMTP id 10so803478qyk.19 for ; Thu, 07 Oct 2010 06:31:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=oqgTDxYtZXJM2qWovUIV6kZrFLNYcB5GFphAnOEKrE8=; b=Iu03lBUj7Lgp6VlL1mPJI5X7B3LqklC+LiTCiqOLIfmtwIe0T6eEFDAfRWLvAK95I3 I/MCnz4kGcfjd/nqKENwT1vvoylE+uV6l1DcojtChaBk7bsRmDROTymteS81e5TVcdkN lpeCB8cbnIaDp9YUe6FF74C7KlE5lOYxxZQlI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=wh8e4muEPLcADCsZDkEGQ3VVsgHmYYxCBAxqpGt2+bkMb+ulyROf+puqsWfrD5NvXq 4LS8W2N1qWhF9KQMJ5DemdCROwkC8K8uWXVESfMOxxxeXh7epobo/u4d+/UugwEgr1xT ESZmCSixeAF1t1CQ8ADVe5hMo+xWcljNGMGws= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.224.213.4 with SMTP id gu4mr301201qab.19.1286458261329; Thu, 07 Oct 2010 06:31:01 -0700 (PDT) Received: by 10.229.86.81 with HTTP; Thu, 7 Oct 2010 06:31:01 -0700 (PDT) In-Reply-To: References: Date: Thu, 7 Oct 2010 14:31:01 +0100 Message-ID: Subject: Re: [gentoo-user] Sniffing / analysis of application / wifi packets on my LAN From: Mick To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 3d64260b-5c09-44df-a49d-9a3cca080132 X-Archives-Hash: b795e50a84914ce88c66796a00c95df8 On 7 October 2010 10:37, Stroller wrote: > Hi there, > > I'm interested in the activity of an application which is running on my L= AN, and was wondering if anyone could offer some quick pointers on the best= tools for this these days. I've played with this some years ago, but only = very superficially - I think I used wireshark back then. > > Ideally what I want to do is capture a big dump of the traffic over a cou= ple of minutes (so it shouldn't be that much, right?) into a file and then = analyse it afterwards based on destination IP, content &c. A couple of minu= tes should allow completion of at least 2 or 3 separate interactions with t= he server. > > The network is mine, as is the device from which I'm capturing the data. = I have a Belkin F5D7010 wifi card, which I think is based on a RaLink rt2x0= 0 (rt2400 / rt2500) chipset, and I have my network's WPA key, so I think I = can just set the wifi card in passive mode for sniffing. I'm pretty sure I = experimented with this card in passive mode before, some years ago. Alterna= tively, I think I can plug the wifi access-point into my PC, bridge it to a= second wired NIC and sniff what's going across the bridge (but I don't thi= nk this should be necessary). > > What I'm expecting to see is some image, audio & html files &/or xml data= transferred, and ideally I'd like to be able to extract it all and view it= in its original format. > > There's likely to be some inevitable other activity on the wLAN whilst th= is is happening - I'll try to minimise this, but I think the tools should b= e able filter out any crap I'm not interested in, right? > > I'd prefer as much as possible to use CLI tools for capturing / analysing= the data. By passive I assume you mean promiscuous? Since you prefer CLI you can use tcpdump and tcpflow. tcpdump will place your card in promiscuous mode - if you only want to see what's addressed to your machine use the -p switch. To avoid truncating the packets increase the size of the packets captured e.g. -s 65535 and also add some detail -XX to see the payload. Altogether something like this should work: tcpdump -i wlan0 -e -l -U -vvv -s 65535 -w tcpdump_cap.txt -XX (switch -w for -r to read what you've captured). You can use the -T option to only capture/read a particular protocol. I rarely specify this. tcpflow -i wlan0 -c -p -s -v With tcpflow you can specify the protocol (e.g. proto arp) to capture only particular packets as well. Hope this helps. --=20 Regards, Mick