Re: [gentoo-user] Sniffing / analysis of application / wifi packets on my LAN
On 10/07/10 19:37, Stroller wrote: Hi there, I'm interested in the activity of an application which is running on my LAN, and was wondering if anyone could offer some quick pointers on the best tools for this these days. I've played with this some years ago, but only very superficially - I think I used wireshark back then. Ideally what I want to do is capture a big dump of the traffic over a couple of minutes (so it shouldn't be that much, right?) into a file and then analyse it afterwards based on destination IP, content c. A couple of minutes should allow completion of at least 2 or 3 separate interactions with the server. The network is mine, as is the device from which I'm capturing the data. I have a Belkin F5D7010 wifi card, which I think is based on a RaLink rt2x00 (rt2400 / rt2500) chipset, and I have my network's WPA key, so I think I can just set the wifi card in passive mode for sniffing. I'm pretty sure I experimented with this card in passive mode before, some years ago. Alternatively, I think I can plug the wifi access-point into my PC, bridge it to a second wired NIC and sniff what's going across the bridge (but I don't think this should be necessary). What I'm expecting to see is some image, audio html files /or xml data transferred, and ideally I'd like to be able to extract it all and view it in its original format. There's likely to be some inevitable other activity on the wLAN whilst this is happening - I'll try to minimise this, but I think the tools should be able filter out any crap I'm not interested in, right? I'd prefer as much as possible to use CLI tools for capturing / analysing the data. Thanks in advance for any quick pointers you can offer, Stroller. As far as I'm aware, Wireshark is the standard for packet capture and analysis. It supports both capture and display filters, so you can limit it to just what you're interested in. If the client and server are both on your LAN, then you should probably go ahead and capture everything, and then use a display filter to limit it to just the hosts you need. That way, if for some reason you find you need to see what else is going on on the network at a given time, the captured data is still there, you just broaden the display filter. As far as CLI tools go, sorry, I'm not sure what's available. Never had a need to look into those. But Wireshark uses libpcap, and digging a bit shows tcpdump, which is a CLI tool that uses libpcap to capture data, so it may give you the same functionality. I've never used it though, so I can't help further. Jake Moe
Re: [gentoo-user] Sniffing / analysis of application / wifi packets on my LAN
Wireshark - always use the latest ~x86. Can capture and save with a lot of options. to just do a quick capture, try tcpdump -i eth- -w file.pcap writes a pcap format file (can be read by wireshark etc) tcpdump -r file.pcap to see whats in it tcpdump -A - -r file.pcap to extract text like html If you already have wireshark, tshark can do similar operation to tcpdump. BillK On Thu, 2010-10-07 at 10:37 +0100, Stroller wrote: Hi there, I'm interested in the activity of an application which is running on my LAN, and was wondering if anyone could offer some quick pointers on the best tools for this these days. I've played with this some years ago, but only very superficially - I think I used wireshark back then. Ideally what I want to do is capture a big dump of the traffic over a couple of minutes (so it shouldn't be that much, right?) into a file and then analyse it afterwards based on destination IP, content c. A couple of minutes should allow completion of at least 2 or 3 separate interactions with the server. The network is mine, as is the device from which I'm capturing the data. I have a Belkin F5D7010 wifi card, which I think is based on a RaLink rt2x00 (rt2400 / rt2500) chipset, and I have my network's WPA key, so I think I can just set the wifi card in passive mode for sniffing. I'm pretty sure I experimented with this card in passive mode before, some years ago. Alternatively, I think I can plug the wifi access-point into my PC, bridge it to a second wired NIC and sniff what's going across the bridge (but I don't think this should be necessary). What I'm expecting to see is some image, audio html files /or xml data transferred, and ideally I'd like to be able to extract it all and view it in its original format. There's likely to be some inevitable other activity on the wLAN whilst this is happening - I'll try to minimise this, but I think the tools should be able filter out any crap I'm not interested in, right? I'd prefer as much as possible to use CLI tools for capturing / analysing the data. Thanks in advance for any quick pointers you can offer, Stroller. -- William Kenworthy bi...@iinet.net.au Home in Perth!
Re: [gentoo-user] Sniffing / analysis of application / wifi packets on my LAN
On 7 October 2010 10:37, Stroller strol...@stellar.eclipse.co.uk wrote: Hi there, I'm interested in the activity of an application which is running on my LAN, and was wondering if anyone could offer some quick pointers on the best tools for this these days. I've played with this some years ago, but only very superficially - I think I used wireshark back then. Ideally what I want to do is capture a big dump of the traffic over a couple of minutes (so it shouldn't be that much, right?) into a file and then analyse it afterwards based on destination IP, content c. A couple of minutes should allow completion of at least 2 or 3 separate interactions with the server. The network is mine, as is the device from which I'm capturing the data. I have a Belkin F5D7010 wifi card, which I think is based on a RaLink rt2x00 (rt2400 / rt2500) chipset, and I have my network's WPA key, so I think I can just set the wifi card in passive mode for sniffing. I'm pretty sure I experimented with this card in passive mode before, some years ago. Alternatively, I think I can plug the wifi access-point into my PC, bridge it to a second wired NIC and sniff what's going across the bridge (but I don't think this should be necessary). What I'm expecting to see is some image, audio html files /or xml data transferred, and ideally I'd like to be able to extract it all and view it in its original format. There's likely to be some inevitable other activity on the wLAN whilst this is happening - I'll try to minimise this, but I think the tools should be able filter out any crap I'm not interested in, right? I'd prefer as much as possible to use CLI tools for capturing / analysing the data. By passive I assume you mean promiscuous? Since you prefer CLI you can use tcpdump and tcpflow. tcpdump will place your card in promiscuous mode - if you only want to see what's addressed to your machine use the -p switch. To avoid truncating the packets increase the size of the packets captured e.g. -s 65535 and also add some detail -XX to see the payload. Altogether something like this should work: tcpdump -i wlan0 -e -l -U -vvv -s 65535 -w tcpdump_cap.txt -XX (switch -w for -r to read what you've captured). You can use the -T protocol option to only capture/read a particular protocol. I rarely specify this. tcpflow -i wlan0 -c -p -s -v With tcpflow you can specify the protocol (e.g. proto arp) to capture only particular packets as well. Hope this helps. -- Regards, Mick
Re: [gentoo-user] Sniffing / analysis of application / wifi packets on my LAN
On 7 Oct 2010, at 12:28, Jake Moe wrote: ... As far as I'm aware, Wireshark is the standard for packet capture and analysis. ... As far as CLI tools go, sorry, I'm not sure what's available. Never had a need to look into those. So Wireshark is a GUI tool? I thought I'd used it in CLI mode (USE=-gtk???), but it was a long time ago, so maybe I'm mistaken. Many thanks also to William Mick. Yes, I did mean promiscuous mode, sorry. I'm sure I'll have more comments once I've had a chance to have a crack at it. I'm planning on using a laptop with a cardbus wifi card, and I realised it had last been used and updated 2 years ago, so I'm (still) in the middle of reinstalling at the moment. Stroller.
Re: [gentoo-user] Sniffing / analysis of application / wifi packets on my LAN
As far as CLI tools go, sorry, I'm not sure what's available. Never had a need to look into those. tcpdump is the most common CLI tool. Handy if you want to capture to a file on a unix based firewall or F5 etc so you can then view it in Wireshark on your workstation. So Wireshark is a GUI tool? Yes. It has crypto decode for SSL if you have the private key, so it might also be possible to have it decode WPA since you have the key - RTFM to find out for sure. Depending on how the crypto works you may need to have captured the beginning of the crypto setup to be able to decode, as that's where the session key will be exchanged. Cant remember if WPA does that or not.
