[gentoo-user] Sniffing / analysis of application / wifi packets on my LAN

[gentoo-user] Sniffing / analysis of application / wifi packets on my LAN

[Stroller]

Hi there,

I'm interested in the activity of an application which is running on my LAN, and was wondering if anyone could offer some quick pointers on the best tools for this these days. I've played with this some years ago, but only very superficially - I think I used wireshark back then.

Ideally what I want to do is capture a big dump of the traffic over a couple of minutes (so it shouldn't be that much, right?) into a file and then analyse it afterwards based on destination IP, content &c. A couple of minutes should allow completion of at least 2 or 3 separate interactions with the server.

The network is mine, as is the device from which I'm capturing the data. I have a Belkin F5D7010 wifi card, which I think is based on a RaLink rt2x00 (rt2400 / rt2500) chipset, and I have my network's WPA key, so I think I can just set the wifi card in passive mode for sniffing. I'm pretty sure I experimented with this card in passive mode before, some years ago. Alternatively, I think I can plug the wifi access-point into my PC, bridge it to a second wired NIC and sniff what's going across the bridge (but I don't think this should be necessary).

What I'm expecting to see is some image, audio & html files &/or xml data transferred, and ideally I'd like to be able to extract it all and view it in its original format. 

There's likely to be some inevitable other activity on the wLAN whilst this is happening - I'll try to minimise this, but I think the tools should be able filter out any crap I'm not interested in, right?

I'd prefer as much as possible to use CLI tools for capturing / analysing the data.

Thanks in advance for any quick pointers you can offer,

Stroller.

Re: [gentoo-user] Sniffing / analysis of application / wifi packets on my LAN

[Jake Moe]

 On 10/07/10 19:37, Stroller wrote:
> Hi there,
>
> I'm interested in the activity of an application which is running on my LAN, and was wondering if anyone could offer some quick pointers on the best tools for this these days. I've played with this some years ago, but only very superficially - I think I used wireshark back then.
>
> Ideally what I want to do is capture a big dump of the traffic over a couple of minutes (so it shouldn't be that much, right?) into a file and then analyse it afterwards based on destination IP, content &c. A couple of minutes should allow completion of at least 2 or 3 separate interactions with the server.
>
> The network is mine, as is the device from which I'm capturing the data. I have a Belkin F5D7010 wifi card, which I think is based on a RaLink rt2x00 (rt2400 / rt2500) chipset, and I have my network's WPA key, so I think I can just set the wifi card in passive mode for sniffing. I'm pretty sure I experimented with this card in passive mode before, some years ago. Alternatively, I think I can plug the wifi access-point into my PC, bridge it to a second wired NIC and sniff what's going across the bridge (but I don't think this should be necessary).
>
> What I'm expecting to see is some image, audio & html files &/or xml data transferred, and ideally I'd like to be able to extract it all and view it in its original format. 
>
> There's likely to be some inevitable other activity on the wLAN whilst this is happening - I'll try to minimise this, but I think the tools should be able filter out any crap I'm not interested in, right?
>
> I'd prefer as much as possible to use CLI tools for capturing / analysing the data.
>
> Thanks in advance for any quick pointers you can offer,
>
> Stroller.
>
>
As far as I'm aware, Wireshark is the standard for packet capture and
analysis.  It supports both capture and display filters, so you can
limit it to just what you're interested in.  If the client and server
are both on your LAN, then you should probably go ahead and capture
everything, and then use a display filter to limit it to just the hosts
you need.  That way, if for some reason you find you need to see what
else is going on on the network at a given time, the captured data is
still there, you just broaden the display filter.

As far as CLI tools go, sorry, I'm not sure what's available.  Never had
a need to look into those.  But Wireshark uses libpcap, and digging a
bit shows tcpdump, which is a CLI tool that uses libpcap to capture
data, so it may give you the same functionality.  I've never used it
though, so I can't help further.

Jake Moe

Re: [gentoo-user] Sniffing / analysis of application / wifi packets on my LAN

[William Kenworthy]

Wireshark - always use the latest ~x86.  Can capture and save with a lot
of options.

to just do a quick capture, try 
"tcpdump -i eth- -w file.pcap" writes a pcap format file (can be read by
wireshark etc)
"tcpdump -r file.pcap" to see whats in it
"tcpdump -A - -r file.pcap" to extract text like html

If you already have wireshark, "tshark" can do similar operation to
tcpdump.

BillK



On Thu, 2010-10-07 at 10:37 +0100, Stroller wrote:
> Hi there,
> 
> I'm interested in the activity of an application which is running on my LAN, and was wondering if anyone could offer some quick pointers on the best tools for this these days. I've played with this some years ago, but only very superficially - I think I used wireshark back then.
> 
> Ideally what I want to do is capture a big dump of the traffic over a couple of minutes (so it shouldn't be that much, right?) into a file and then analyse it afterwards based on destination IP, content &c. A couple of minutes should allow completion of at least 2 or 3 separate interactions with the server.
> 
> The network is mine, as is the device from which I'm capturing the data. I have a Belkin F5D7010 wifi card, which I think is based on a RaLink rt2x00 (rt2400 / rt2500) chipset, and I have my network's WPA key, so I think I can just set the wifi card in passive mode for sniffing. I'm pretty sure I experimented with this card in passive mode before, some years ago. Alternatively, I think I can plug the wifi access-point into my PC, bridge it to a second wired NIC and sniff what's going across the bridge (but I don't think this should be necessary).
> 
> What I'm expecting to see is some image, audio & html files &/or xml data transferred, and ideally I'd like to be able to extract it all and view it in its original format. 
> 
> There's likely to be some inevitable other activity on the wLAN whilst this is happening - I'll try to minimise this, but I think the tools should be able filter out any crap I'm not interested in, right?
> 
> I'd prefer as much as possible to use CLI tools for capturing / analysing the data.
> 
> Thanks in advance for any quick pointers you can offer,
> 
> Stroller.
> 
> 

-- 
William Kenworthy <billk@iinet.net.au>
Home in Perth!

Re: [gentoo-user] Sniffing / analysis of application / wifi packets on my LAN

[Mick]

On 7 October 2010 10:37, Stroller <stroller@stellar.eclipse.co.uk> wrote:
> Hi there,
>
> I'm interested in the activity of an application which is running on my LAN, and was wondering if anyone could offer some quick pointers on the best tools for this these days. I've played with this some years ago, but only very superficially - I think I used wireshark back then.
>
> Ideally what I want to do is capture a big dump of the traffic over a couple of minutes (so it shouldn't be that much, right?) into a file and then analyse it afterwards based on destination IP, content &c. A couple of minutes should allow completion of at least 2 or 3 separate interactions with the server.
>
> The network is mine, as is the device from which I'm capturing the data. I have a Belkin F5D7010 wifi card, which I think is based on a RaLink rt2x00 (rt2400 / rt2500) chipset, and I have my network's WPA key, so I think I can just set the wifi card in passive mode for sniffing. I'm pretty sure I experimented with this card in passive mode before, some years ago. Alternatively, I think I can plug the wifi access-point into my PC, bridge it to a second wired NIC and sniff what's going across the bridge (but I don't think this should be necessary).
>
> What I'm expecting to see is some image, audio & html files &/or xml data transferred, and ideally I'd like to be able to extract it all and view it in its original format.
>
> There's likely to be some inevitable other activity on the wLAN whilst this is happening - I'll try to minimise this, but I think the tools should be able filter out any crap I'm not interested in, right?
>
> I'd prefer as much as possible to use CLI tools for capturing / analysing the data.

By passive I assume you mean promiscuous?

Since you prefer CLI you can use tcpdump and tcpflow.  tcpdump will
place your card in promiscuous mode - if you only want to see what's
addressed to your machine use the -p switch.  To avoid truncating the
packets increase the size of the packets captured e.g. -s 65535 and
also add some detail -XX to see the payload.  Altogether something
like this should work:

tcpdump -i wlan0 -e -l -U -vvv -s 65535 -w tcpdump_cap.txt -XX
(switch -w for -r to read what you've captured).

You can use the -T <protocol> option to only capture/read a particular
protocol.  I rarely specify this.

tcpflow -i wlan0 -c -p -s -v

With tcpflow you can specify the protocol (e.g. proto arp) to capture
only particular packets as well.

Hope this helps.
-- 
Regards,
Mick

Re: [gentoo-user] Sniffing / analysis of application / wifi packets on my LAN

[Stroller]

On 7 Oct 2010, at 12:28, Jake Moe wrote:
> ...
> As far as I'm aware, Wireshark is the standard for packet capture and
> analysis. ...
> 
> As far as CLI tools go, sorry, I'm not sure what's available.  Never had
> a need to look into those.

So Wireshark is a GUI tool?

I thought I'd used it in CLI mode (USE="-gtk"???), but it was a long time ago, so maybe I'm mistaken.

Many thanks also to William & Mick. Yes, I did mean "promiscuous mode", sorry. I'm sure I'll have more comments once I've had a chance to have a crack at it. I'm planning on using a laptop with a cardbus wifi card, and I realised it had last been used and updated 2 years ago, so I'm (still) in the middle of reinstalling at the moment.

Stroller.

Re: [gentoo-user] Sniffing / analysis of application / wifi packets on my LAN

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 694 bytes --]

>
> > As far as CLI tools go, sorry, I'm not sure what's available.  Never had
> > a need to look into those.
>

tcpdump is the most common CLI tool. Handy if you want to capture to a file
on a unix based firewall or F5 etc so you can then view it in Wireshark on
your workstation.


> So Wireshark is a GUI tool?
>

Yes.

It has crypto decode for SSL if you have the private key, so it might also
be possible to have it decode WPA since you have the key - RTFM to find out
for sure. Depending on how the crypto works you may need to have captured
the beginning of the crypto setup to be able to decode, as that's where the
session key will be exchanged. Cant remember if WPA does that or not.

[-- Attachment #2: Type: text/html, Size: 1127 bytes --]

[gentoo-user] Re: Sniffing / analysis of application / wifi packets on my LAN

[Francesco Talamona]

On Friday 08 October 2010, Adam Carter wrote:
> > So Wireshark is a GUI tool?
> 
> Yes.

But net-analyzer/wireshark installs a CLI tool too: tshark

Ciao
	Francesco
-- 
Linux Version 2.6.35-gentoo-r9, Compiled #1 SMP PREEMPT Tue Sep 28 
20:02:12 CEST 2010
Two 2.9GHz AMD Athlon 64 Processors, 4GB RAM, 11659 Bogomips Total
aemaeth

Re: [gentoo-user] Re: Sniffing / analysis of application / wifi packets on my LAN

[Stroller]

On 8 Oct 2010, at 18:38, Francesco Talamona wrote:

> On Friday 08 October 2010, Adam Carter wrote:
>>> So Wireshark is a GUI tool?
>> 
>> Yes.
> 
> But net-analyzer/wireshark installs a CLI tool too: tshark

TYVM.

Stroller.