Difference between pages "Tutorials/Tutorial: Packets don't lie: how can you use tcpdump/tshark (wireshark) to prove your point." and "Birds of a Feather sessions (BoFs)"

From LCA2016 Delegate wiki
(Difference between pages)
Jump to: navigation, search
 
(Add room for parallelism and concurrency BoF)
 
Line 1: Line 1:
===PREREQUISITES===
+
== Birds of a Feather (BoF) Sessions ==
Please note that this is a tutorial, not a talk.
+
You should have tcpdump and  wireshark INSTALLED and do some captures BEFORE you come to the tutorial.
+
To find wireshark packages do something like this:
+
<pre>
+
#archlinux
+
pacman -Ss wireshark tcpdump
+
#debian
+
apt-cache search wireshark tcpdump
+
#fedora
+
yum search wireshark tcpdump
+
</pre>
+
Please install both GUI and CLI packages.
+
  
Please add the user you are going to run wireshark/tshark as to the 'wireshark' user group.  
+
Although not an official social event of the Conference, Birds of a Feather - or BoFs as they are known - allow Delegates to meet around a particular topic or interest. BoFs usually occur during lunchtime, or after the main Conference presentations for the day.  
<pre>
+
gpasswd -a james wireshark
+
</pre>
+
After this user 'james' will need to log out and log in again!
+
  
 +
==== Instructions ====
 +
Edit the table below to claim a BoF, and provide a way for people to contact you.
 +
''Rooms will be added later.'' See also: [[mw:Help:Tables|Table MarkD2.193 up Help]].
  
If that still DOESN'T work,  you might want to add a capability. Do it ONLY if you are still unable to do capture.
+
{| class="wikitable" style="text-align:center"
<pre>
+
<!-- Table Headers -->
setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
+
|+Birds of a Feather (BoF) Sessions
</pre>
+
!
 +
!Monday 1st Feb
 +
!Tuesday 2nd Feb
 +
!Wednesday 3rd Feb
 +
!Thursday 4th Feb
 +
!Friday 5th Feb
  
When finished, have a look around at what files came with the package:
+
|-
<pre>
+
! Early birds
tcpdump --version
+
06:00
tshark --version
+
<!-- Mon -->
</pre>
+
| [[Running BoF]]
List binaries that came with the packge (example is for archlinux, for rmp-like do 'rpm -ql wireshark', for debian 'dpkg -L wireshark')
+
<!-- Tue -->
<pre>
+
| [[Running BoF]]
pacman -Ql wireshark-cli|grep bin
+
<!-- Wed -->
wireshark-cli /usr/bin/androiddump
+
| [[Running BoF]]
wireshark-cli /usr/bin/capinfos
+
<!-- Thu -->
wireshark-cli /usr/bin/captype        #same as 'capinfos -t'
+
| [[Running BoF]]
wireshark-cli /usr/bin/dftest        #display filter byte-code for debugging
+
<!-- Fri -->
wireshark-cli /usr/bin/dumpcap        #can write files
+
| [[Running BoF]]
wireshark-cli /usr/bin/editcap        #snaplenth, or split into multiple based on time, number of packets, adjust time
+
|-
wireshark-cli /usr/bin/idl2wrs
+
! Not-as-Early birds
wireshark-cli /usr/bin/mergecap
+
07:00
wireshark-cli /usr/bin/randpkt        #creates a legitimate EthernetII packet with the given Type field set
+
<!-- Mon -->
wireshark-cli /usr/bin/rawshark      #cannot write files, only to standard output
+
| [[Interval Training BoF]]
wireshark-cli /usr/bin/reordercap    #part of the functionality of the editcap
+
<!-- Tue -->
wireshark-cli /usr/bin/text2pcap      #hexdump -> pcap
+
| [[Interval Training BoF]]
wireshark-cli /usr/bin/tshark
+
<!-- Wed -->
wireshark-cli /usr/include/wireshark/epan/dissectors/packet-ypbind.h
+
| [[Interval Training BoF]]
wireshark-cli /usr/share/wireshark/radius/dictionary.bintec
+
<!-- Thu -->
 +
| [[Interval Training BoF]]
 +
<!-- Fri -->
 +
| [[Interval Training BoF]]
  
</pre>
+
<!-- Keynote Speakers -->
 +
|- style="background-color: #f2f2f2;text-align:center;"
 +
! 09:00
 +
| Opening
 +
| scope="row" colspan="4" |Keynote Speakers
  
=Capturing=
+
|-
====browsing exercise ====
+
! Morning Tea
# start capturing
+
10:00—10:40
# navigate your browser to linux.conf.au
+
<!--Mon-->
# navigate your browser to google.com
+
|Session
# navigate your browser to xxxxxxx (your choice)
+
<!--Tue-->
 +
|Session
 +
<!--Wed-->
 +
|Session
 +
<!--Thu-->
 +
|Session
 +
<!--Fri-->
 +
|Session
  
====have a look at the capture files that you generated====
+
<!-- Regular Schedule -->
<pre>
+
|- style="background-color: #f2f2f2;text-align:center;"
capinfos -T *.pcap{,ng}
+
|scope="row" colspan="6" | Regular Schedule
</pre>
+
==capture interfaces==
+
<pre>
+
tcpdump -D
+
tshark -D
+
# try with no interface
+
tshark
+
</pre>
+
  
==capturing on the CLI==
+
|-
 +
!Lunch Break
 +
12:20—13:20
 +
<!--Mon-->
 +
|[[Queer BoF]]
 +
<!--Tue-->
 +
|[[Perl BoF]] D2.193 <p> [[Autonomous Robots BoF]] D.211
 +
<!--Wed-->
 +
|[[Emacs BoF]] D2.193 <br/> [[Safer Payments BoF]] D.211
 +
Exploding kittens bof- student lounge
 +
<br/>Cards Against Humanity BoF D.211
 +
<!--Thu-->
 +
|[[Ladies' Lunch]]
 +
[[Debian Lunch @ wool museum restaurant]]
 +
<br/>Cards Against Humanity BoF - D.211
 +
<!--Fri-->
 +
|[[Freedom Conservancy supporters]]
  
tcpdump can autostop after certain number of packets has been captured. tshark has addinionally duration, filesize and number of files autostop conditions.
+
<!-- Regular Schedule -->
What if we want to have a permanent capture running and keep last N days of the logs?
+
|- style="background-color: #f2f2f2;text-align:center;"
<pre>
+
|scope="row" colspan="6"|Regular Schedule
tshark -b duration:2 -n -wevery2sec.pcapng & watch -n 1 ls -l
+
tshark -b duration:2 -n -wevery2sec.pcapng -a files:5  & watch -n1 ls -l
+
tshark -b duration:3600 -n -weveryHour.pcapng -b files:24
+
tshark -a filesize:1024 -n -w1MiB.pcapng
+
</pre>
+
=expert info=
+
==GUI==
+
        capinfo
+
        lower bottom corner
+
                expert info
+
                file name
+
                packets, etc
+
        statistics -> protocol hierarchy
+
        statistics -> HTTP -> packet counter
+
        statistics -> HTTP -> requests
+
        extract objects
+
        follow TCP stream
+
        coloring rules
+
        Statistics -> IPv4 Statistics ->  Destinations and  Ports
+
==CLI==
+
<pre>
+
! tshark -q -z ptype,tree
+
! tshark -q -z io,stat,20,eth -q
+
! tshark -q -z io,stat,20,http -q
+
! tshark -q -z io,stat,20,,"BYTES()http" -q
+
! tshark -q -z http,tree
+
! tshark -q -z http_req,tree
+
! tshark -q -z http_srv,tree
+
create a capture file for icmp
+
! tshark -q -z icmp,srt
+
! tshark -q -z io,phs
+
! tshark -q -z io,stat
+
! tshark -q -z ip_hosts,tree
+
! tshark -q -z plen,tree
+
! tshark -q -z endpoints,eth
+
! tshark -q -z endpoints,eth,
+
! tshark -q -z endpoints,ip
+
! tshark -q -z conv,eth
+
! tshark -q -z conv,udp
+
! tshark -q -z conv,tcp
+
! tshark -q -z conv
+
! tshark -q -z expert,error -q
+
! tshark -q -z expert,note -q
+
</pre>
+
  
=DECRYPTING SSL=
+
|-
When a client (for example, a web browser) makes a connection to a web server requiring SSL/TLS encryption - the encrypted channel is setup using a '''symmetric''' session key. This key is a random string generated by the client and then encrypted and transmitted using the servers '''public''' key, known as the ''Pre-master Secret''. Once shared, the client and server use this shared key to encrypt and decrypt traffic.
+
!Afternoon Tea
 +
15:00—15:40
 +
<!--Mon-->
 +
|Session
 +
<!--Tue-->
 +
|Session
 +
<!--Wed-->
 +
|[[BlueHackers BoF]] D2.193
 +
<!--Thu-->
 +
|Jobs BoF D.211
 +
<!--Fri-->
 +
|Session
  
MacOS users can do: launchctl setenv SSLKEYLOGFILE /tmp/SSLKEYLOGFILE.txt; open -a Applications/Firefox.app
+
<!-- Regular Schedule -->
 +
|- style="background-color: #f2f2f2;text-align:center;"
 +
|scope="row" colspan="5" |Regular Schedule
 +
|[[Lightning_talks|LightningTalks]] & Closing
  
====exercise on decyphering SSL====
+
|-
# <pre>
+
!Evening
SSLKEYLOGFILE=/tmp/SSLKEYLOGFILE.txt firefox & tail -f /tmp/SSLKEYLOGFILE.txt
+
17:20—
</pre>
+
<!--Mon-->
#Navigate to https://google.com
+
|[[Ingress BoF]] D.192
#Do some searches
+
[[Libre Instant Messaging and Social Media BoF|Libre IM & Social BoF]] D2.211
#Start capture
+
<!--Tue-->
#Open a new tab and do more searches on google.com
+
|[[Keysigning bof|Keysigning BoF]] D2.211
#try https://facebook.com or some other web site.
+
<!--Wed-->
 +
|[[Kerbal BoF]] D2.193
 +
<!--Thu-->
 +
|[[Parallelism and Concurrency BoF]] D2.193
 +
<!--Fri-->
 +
|Session
  
 +
<!-- Regular Schedule -->
 +
|- style="background-color: #f2f2f2;text-align:center;"
 +
!18:00—
 +
<!--Mon-->
 +
|[[LA AGM]] D.193
 +
<!--Tue-->
 +
|[[Professional Delegates Networking Session (PDNS)|PDNS]]
 +
<!--Wed-->
 +
|[[Penguin Dinner]]
 +
<!--Thu-->
 +
|[[Speakers' Dinner]]
 +
<!--Fri-->
 +
|[[EFA Drinks]]
 +
|}
  
  
SSLKEYLOGFILE variable  works for firefox, chromium and any program built with NSS library (Network Security Services).
+
Unscheduled sessions:
 +
* Exploding kittens
 +
{{Template:Navigation}}
 +
 
 +
{{BoF}}
 +
 
 +
[[Category:Events]]

Revision as of 14:26, 3 February 2016

Birds of a Feather (BoF) Sessions

Although not an official social event of the Conference, Birds of a Feather - or BoFs as they are known - allow Delegates to meet around a particular topic or interest. BoFs usually occur during lunchtime, or after the main Conference presentations for the day.

Instructions

Edit the table below to claim a BoF, and provide a way for people to contact you. Rooms will be added later. See also: Table MarkD2.193 up Help.

Birds of a Feather (BoF) Sessions
Monday 1st Feb Tuesday 2nd Feb Wednesday 3rd Feb Thursday 4th Feb Friday 5th Feb
Early birds

06:00

Running BoF Running BoF Running BoF Running BoF Running BoF
Not-as-Early birds

07:00

Interval Training BoF Interval Training BoF Interval Training BoF Interval Training BoF Interval Training BoF
09:00 Opening Keynote Speakers
Morning Tea

10:00—10:40

Session Session Session Session Session
Regular Schedule
Lunch Break

12:20—13:20

Queer BoF Perl BoF D2.193

Autonomous Robots BoF D.211

Emacs BoF D2.193
Safer Payments BoF D.211

Exploding kittens bof- student lounge
Cards Against Humanity BoF D.211

Ladies' Lunch

Debian Lunch @ wool museum restaurant
Cards Against Humanity BoF - D.211

Freedom Conservancy supporters
Regular Schedule
Afternoon Tea

15:00—15:40

Session Session BlueHackers BoF D2.193 Jobs BoF D.211 Session
Regular Schedule LightningTalks & Closing
Evening

17:20—

Ingress BoF D.192

Libre IM & Social BoF D2.211

Keysigning BoF D2.211 Kerbal BoF D2.193 Parallelism and Concurrency BoF D2.193 Session
18:00— LA AGM D.193 PDNS Penguin Dinner Speakers' Dinner EFA Drinks


Unscheduled sessions:

  • Exploding kittens

ATTENDEE TYPE:

Information for Speakers | Information for Delegates | Information for Volunteers | Information for Partners and family

CONFERENCE LIFECYCLE:

Registering for linux.conf.au | Getting to linux.conf.au | Where to stay at linux.conf.au | What to expect at linux.conf.au | What to do at linux.conf.au | What happens after linux.conf.au

HANDY LINKS:

Conference Home | Miniconf_Info | Lightning_talks | Wiki Home | Register | Schedule | OpenStreetMap of Geelong


Birds of a Feather sessions (BoFs)
Autonomous Robots Emacs Ingress Interval Training Kerbal Keysigning Libre Social Media Parallelism Perl Queer Running Taswegian Bibleopoly