FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 10-07-2010, 09:37 AM
Stroller
 
Default Sniffing / analysis of application / wifi packets on my LAN

Hi there,

I'm interested in the activity of an application which is running on my LAN, and was wondering if anyone could offer some quick pointers on the best tools for this these days. I've played with this some years ago, but only very superficially - I think I used wireshark back then.

Ideally what I want to do is capture a big dump of the traffic over a couple of minutes (so it shouldn't be that much, right?) into a file and then analyse it afterwards based on destination IP, content &c. A couple of minutes should allow completion of at least 2 or 3 separate interactions with the server.

The network is mine, as is the device from which I'm capturing the data. I have a Belkin F5D7010 wifi card, which I think is based on a RaLink rt2x00 (rt2400 / rt2500) chipset, and I have my network's WPA key, so I think I can just set the wifi card in passive mode for sniffing. I'm pretty sure I experimented with this card in passive mode before, some years ago. Alternatively, I think I can plug the wifi access-point into my PC, bridge it to a second wired NIC and sniff what's going across the bridge (but I don't think this should be necessary).

What I'm expecting to see is some image, audio & html files &/or xml data transferred, and ideally I'd like to be able to extract it all and view it in its original format.

There's likely to be some inevitable other activity on the wLAN whilst this is happening - I'll try to minimise this, but I think the tools should be able filter out any crap I'm not interested in, right?

I'd prefer as much as possible to use CLI tools for capturing / analysing the data.

Thanks in advance for any quick pointers you can offer,

Stroller.
 
Old 10-07-2010, 11:28 AM
Jake Moe
 
Default Sniffing / analysis of application / wifi packets on my LAN

On 10/07/10 19:37, Stroller wrote:
> Hi there,
>
> I'm interested in the activity of an application which is running on my LAN, and was wondering if anyone could offer some quick pointers on the best tools for this these days. I've played with this some years ago, but only very superficially - I think I used wireshark back then.
>
> Ideally what I want to do is capture a big dump of the traffic over a couple of minutes (so it shouldn't be that much, right?) into a file and then analyse it afterwards based on destination IP, content &c. A couple of minutes should allow completion of at least 2 or 3 separate interactions with the server.
>
> The network is mine, as is the device from which I'm capturing the data. I have a Belkin F5D7010 wifi card, which I think is based on a RaLink rt2x00 (rt2400 / rt2500) chipset, and I have my network's WPA key, so I think I can just set the wifi card in passive mode for sniffing. I'm pretty sure I experimented with this card in passive mode before, some years ago. Alternatively, I think I can plug the wifi access-point into my PC, bridge it to a second wired NIC and sniff what's going across the bridge (but I don't think this should be necessary).
>
> What I'm expecting to see is some image, audio & html files &/or xml data transferred, and ideally I'd like to be able to extract it all and view it in its original format.
>
> There's likely to be some inevitable other activity on the wLAN whilst this is happening - I'll try to minimise this, but I think the tools should be able filter out any crap I'm not interested in, right?
>
> I'd prefer as much as possible to use CLI tools for capturing / analysing the data.
>
> Thanks in advance for any quick pointers you can offer,
>
> Stroller.
>
>
As far as I'm aware, Wireshark is the standard for packet capture and
analysis. It supports both capture and display filters, so you can
limit it to just what you're interested in. If the client and server
are both on your LAN, then you should probably go ahead and capture
everything, and then use a display filter to limit it to just the hosts
you need. That way, if for some reason you find you need to see what
else is going on on the network at a given time, the captured data is
still there, you just broaden the display filter.

As far as CLI tools go, sorry, I'm not sure what's available. Never had
a need to look into those. But Wireshark uses libpcap, and digging a
bit shows tcpdump, which is a CLI tool that uses libpcap to capture
data, so it may give you the same functionality. I've never used it
though, so I can't help further.

Jake Moe
 
Old 10-07-2010, 12:05 PM
William Kenworthy
 
Default Sniffing / analysis of application / wifi packets on my LAN

Wireshark - always use the latest ~x86. Can capture and save with a lot
of options.

to just do a quick capture, try
"tcpdump -i eth- -w file.pcap" writes a pcap format file (can be read by
wireshark etc)
"tcpdump -r file.pcap" to see whats in it
"tcpdump -A - -r file.pcap" to extract text like html

If you already have wireshark, "tshark" can do similar operation to
tcpdump.

BillK



On Thu, 2010-10-07 at 10:37 +0100, Stroller wrote:
> Hi there,
>
> I'm interested in the activity of an application which is running on my LAN, and was wondering if anyone could offer some quick pointers on the best tools for this these days. I've played with this some years ago, but only very superficially - I think I used wireshark back then.
>
> Ideally what I want to do is capture a big dump of the traffic over a couple of minutes (so it shouldn't be that much, right?) into a file and then analyse it afterwards based on destination IP, content &c. A couple of minutes should allow completion of at least 2 or 3 separate interactions with the server.
>
> The network is mine, as is the device from which I'm capturing the data. I have a Belkin F5D7010 wifi card, which I think is based on a RaLink rt2x00 (rt2400 / rt2500) chipset, and I have my network's WPA key, so I think I can just set the wifi card in passive mode for sniffing. I'm pretty sure I experimented with this card in passive mode before, some years ago. Alternatively, I think I can plug the wifi access-point into my PC, bridge it to a second wired NIC and sniff what's going across the bridge (but I don't think this should be necessary).
>
> What I'm expecting to see is some image, audio & html files &/or xml data transferred, and ideally I'd like to be able to extract it all and view it in its original format.
>
> There's likely to be some inevitable other activity on the wLAN whilst this is happening - I'll try to minimise this, but I think the tools should be able filter out any crap I'm not interested in, right?
>
> I'd prefer as much as possible to use CLI tools for capturing / analysing the data.
>
> Thanks in advance for any quick pointers you can offer,
>
> Stroller.
>
>

--
William Kenworthy <billk@iinet.net.au>
Home in Perth!
 
Old 10-07-2010, 01:31 PM
Mick
 
Default Sniffing / analysis of application / wifi packets on my LAN

On 7 October 2010 10:37, Stroller <stroller@stellar.eclipse.co.uk> wrote:
> Hi there,
>
> I'm interested in the activity of an application which is running on my LAN, and was wondering if anyone could offer some quick pointers on the best tools for this these days. I've played with this some years ago, but only very superficially - I think I used wireshark back then.
>
> Ideally what I want to do is capture a big dump of the traffic over a couple of minutes (so it shouldn't be that much, right?) into a file and then analyse it afterwards based on destination IP, content &c. A couple of minutes should allow completion of at least 2 or 3 separate interactions with the server.
>
> The network is mine, as is the device from which I'm capturing the data. I have a Belkin F5D7010 wifi card, which I think is based on a RaLink rt2x00 (rt2400 / rt2500) chipset, and I have my network's WPA key, so I think I can just set the wifi card in passive mode for sniffing. I'm pretty sure I experimented with this card in passive mode before, some years ago. Alternatively, I think I can plug the wifi access-point into my PC, bridge it to a second wired NIC and sniff what's going across the bridge (but I don't think this should be necessary).
>
> What I'm expecting to see is some image, audio & html files &/or xml data transferred, and ideally I'd like to be able to extract it all and view it in its original format.
>
> There's likely to be some inevitable other activity on the wLAN whilst this is happening - I'll try to minimise this, but I think the tools should be able filter out any crap I'm not interested in, right?
>
> I'd prefer as much as possible to use CLI tools for capturing / analysing the data.

By passive I assume you mean promiscuous?

Since you prefer CLI you can use tcpdump and tcpflow. tcpdump will
place your card in promiscuous mode - if you only want to see what's
addressed to your machine use the -p switch. To avoid truncating the
packets increase the size of the packets captured e.g. -s 65535 and
also add some detail -XX to see the payload. Altogether something
like this should work:

tcpdump -i wlan0 -e -l -U -vvv -s 65535 -w tcpdump_cap.txt -XX
(switch -w for -r to read what you've captured).

You can use the -T <protocol> option to only capture/read a particular
protocol. I rarely specify this.

tcpflow -i wlan0 -c -p -s -v

With tcpflow you can specify the protocol (e.g. proto arp) to capture
only particular packets as well.

Hope this helps.
--
Regards,
Mick
 
Old 10-07-2010, 05:30 PM
Stroller
 
Default Sniffing / analysis of application / wifi packets on my LAN

On 7 Oct 2010, at 12:28, Jake Moe wrote:
> ...
> As far as I'm aware, Wireshark is the standard for packet capture and
> analysis. ...
>
> As far as CLI tools go, sorry, I'm not sure what's available. Never had
> a need to look into those.

So Wireshark is a GUI tool?

I thought I'd used it in CLI mode (USE="-gtk"???), but it was a long time ago, so maybe I'm mistaken.

Many thanks also to William & Mick. Yes, I did mean "promiscuous mode", sorry. I'm sure I'll have more comments once I've had a chance to have a crack at it. I'm planning on using a laptop with a cardbus wifi card, and I realised it had last been used and updated 2 years ago, so I'm (still) in the middle of reinstalling at the moment.

Stroller.
 
Old 10-08-2010, 03:02 AM
Adam Carter
 
Default Sniffing / analysis of application / wifi packets on my LAN

> As far as CLI tools go, sorry, I'm not sure what's available. *Never had

> a need to look into those.

tcpdump is the most common CLI tool. Handy if you want to capture to a file on a unix based firewall or F5 etc so you can then view it in Wireshark on your workstation.





So Wireshark is a GUI tool?

Yes.

It has crypto decode for SSL if you have the private key, so it might also be possible to have it decode WPA since you have the key - RTFM to find out for sure. Depending on how the crypto works you may need to have captured the beginning of the crypto setup to be able to decode, as that's where the session key will be exchanged. Cant remember if WPA does that or not.
 
Old 10-08-2010, 05:38 PM
Francesco Talamona
 
Default Sniffing / analysis of application / wifi packets on my LAN

On Friday 08 October 2010, Adam Carter wrote:
> > So Wireshark is a GUI tool?
>
> Yes.

But net-analyzer/wireshark installs a CLI tool too: tshark

Ciao
Francesco
--
Linux Version 2.6.35-gentoo-r9, Compiled #1 SMP PREEMPT Tue Sep 28
20:02:12 CEST 2010
Two 2.9GHz AMD Athlon 64 Processors, 4GB RAM, 11659 Bogomips Total
aemaeth
 
Old 10-08-2010, 06:48 PM
Stroller
 
Default Sniffing / analysis of application / wifi packets on my LAN

On 8 Oct 2010, at 18:38, Francesco Talamona wrote:

> On Friday 08 October 2010, Adam Carter wrote:
>>> So Wireshark is a GUI tool?
>>
>> Yes.
>
> But net-analyzer/wireshark installs a CLI tool too: tshark

TYVM.

Stroller.
 

Thread Tools




All times are GMT. The time now is 03:23 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org