On 7 October 2010 10:37, Stroller <strol...@stellar.eclipse.co.uk> wrote: > Hi there, > > I'm interested in the activity of an application which is running on my LAN, > and was wondering if anyone could offer some quick pointers on the best tools > for this these days. I've played with this some years ago, but only very > superficially - I think I used wireshark back then. > > Ideally what I want to do is capture a big dump of the traffic over a couple > of minutes (so it shouldn't be that much, right?) into a file and then > analyse it afterwards based on destination IP, content &c. A couple of > minutes should allow completion of at least 2 or 3 separate interactions with > the server. > > The network is mine, as is the device from which I'm capturing the data. I > have a Belkin F5D7010 wifi card, which I think is based on a RaLink rt2x00 > (rt2400 / rt2500) chipset, and I have my network's WPA key, so I think I can > just set the wifi card in passive mode for sniffing. I'm pretty sure I > experimented with this card in passive mode before, some years ago. > Alternatively, I think I can plug the wifi access-point into my PC, bridge it > to a second wired NIC and sniff what's going across the bridge (but I don't > think this should be necessary). > > What I'm expecting to see is some image, audio & html files &/or xml data > transferred, and ideally I'd like to be able to extract it all and view it in > its original format. > > There's likely to be some inevitable other activity on the wLAN whilst this > is happening - I'll try to minimise this, but I think the tools should be > able filter out any crap I'm not interested in, right? > > I'd prefer as much as possible to use CLI tools for capturing / analysing the > data.
By passive I assume you mean promiscuous? Since you prefer CLI you can use tcpdump and tcpflow. tcpdump will place your card in promiscuous mode - if you only want to see what's addressed to your machine use the -p switch. To avoid truncating the packets increase the size of the packets captured e.g. -s 65535 and also add some detail -XX to see the payload. Altogether something like this should work: tcpdump -i wlan0 -e -l -U -vvv -s 65535 -w tcpdump_cap.txt -XX (switch -w for -r to read what you've captured). You can use the -T <protocol> option to only capture/read a particular protocol. I rarely specify this. tcpflow -i wlan0 -c -p -s -v With tcpflow you can specify the protocol (e.g. proto arp) to capture only particular packets as well. Hope this helps. -- Regards, Mick