Difference between pages "Tutorials/Tutorial: Packets don't lie: how can you use tcpdump/tshark (wireshark) to prove your point." and "Home Automation BoF"

From LCA2016 Delegate wiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
===PREREQUISITES===
+
Come and discuss Home Automation including all things Sensors, Collection, Graphing, Control & Open HardwareVery loose definition, if you want to talk about anything then just come along!
Please note that this is a tutorial, not a talk.  
+
You should have tcpdump and wireshark INSTALLED and do some captures BEFORE you come to the tutorial.
+
To find wireshark packages do something like this:
+
<pre>
+
#archlinux
+
pacman -Ss wireshark tcpdump
+
#debian
+
apt-cache search wireshark tcpdump
+
#fedora
+
yum search wireshark tcpdump
+
</pre>
+
Please install both GUI and CLI packages.
+
  
Please add the user you are going to run wireshark/tshark as to the 'wireshark' user group.
+
Time: Friday Lunch (12:20-13:20)
<pre>
+
Location: D2.211
gpasswd -a james wireshark
+
</pre>
+
After this user 'james' will need to log out and log in again!
+
  
 +
[[https://twitter.com/lathiat Trent Lloyd]] can briefly re-run his lightning talk from open hardware on graphing everything in his house and programming a BLE Bluetooth Low Energy dev board on Linux.
  
If that still DOESN'T work, you might want to add a capability. Do it ONLY if you are still unable to do capture.
+
Then let's discuss what everyone else is doing, show off with photos if you have some, etc.
<pre>
+
setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
+
</pre>
+
  
When finished, have a look around at what files came with the package:
+
= Attendees =
<pre>
+
If you are coming then please note below and include anything you can talk about, would like to hear about, or just your name to come and enjoy the discussion
tcpdump --version
+
tshark --version
+
</pre>
+
List binaries that came with the packge (example is for archlinux, for rmp-like do 'rpm -ql wireshark', for debian 'dpkg -L wireshark')
+
<pre>
+
pacman -Ql wireshark-cli|grep bin
+
wireshark-cli /usr/bin/androiddump
+
wireshark-cli /usr/bin/capinfos
+
wireshark-cli /usr/bin/captype        #same as 'capinfos -t'
+
wireshark-cli /usr/bin/dftest        #display filter byte-code for debugging
+
wireshark-cli /usr/bin/dumpcap        #can write files
+
wireshark-cli /usr/bin/editcap        #snaplenth, or split into multiple based on time, number of packets, adjust time
+
wireshark-cli /usr/bin/idl2wrs
+
wireshark-cli /usr/bin/mergecap
+
wireshark-cli /usr/bin/randpkt        #creates a legitimate EthernetII packet with the given Type field set
+
wireshark-cli /usr/bin/rawshark      #cannot write files, only to standard output
+
wireshark-cli /usr/bin/reordercap    #part of the functionality of the editcap
+
wireshark-cli /usr/bin/text2pcap      #hexdump -> pcap
+
wireshark-cli /usr/bin/tshark
+
wireshark-cli /usr/include/wireshark/epan/dissectors/packet-ypbind.h
+
wireshark-cli /usr/share/wireshark/radius/dictionary.bintec
+
  
</pre>
+
* Trent Lloyd (can talk: graphing, BLE, 20Wh solar wireless sites)
 
+
* (TBC) Cary D (can talk JeeNode Micro)
=Capturing=
+
* Alastair D'Silva (1 Wire, Domoticz, WigWag)
====browsing exercise ====
+
{{Template:BoF}}
# start capturing
+
# navigate your browser to linux.conf.au
+
# navigate your browser to google.com
+
# navigate your browser to xxxxxxx (your choice)
+
 
+
====have a look at the capture files that you generated====
+
<pre>
+
capinfos -T *.pcap{,ng}
+
</pre>
+
==capture interfaces==
+
<pre>
+
tcpdump -D
+
tshark -D
+
# try with no interface
+
tshark
+
</pre>
+
 
+
==capturing on the CLI==
+
 
+
tcpdump can autostop after certain number of packets has been captured. tshark has addinionally duration, filesize and number of files autostop conditions.
+
What if we want to have a permanent capture running and keep last N days of the logs?
+
<pre>
+
tshark -b duration:2 -n -wevery2sec.pcapng & watch -n 1 ls -l
+
tshark -b duration:2 -n -wevery2sec.pcapng -a files:5  & watch -n1 ls -l
+
tshark -b duration:3600 -n -weveryHour.pcapng -b files:24
+
tshark -a filesize:1024 -n -w1MiB.pcapng
+
</pre>
+
=expert info=
+
==GUI==
+
        capinfo
+
        lower bottom corner
+
                expert info
+
                file name
+
                packets, etc
+
        statistics -> protocol hierarchy
+
        statistics -> HTTP -> packet counter
+
        statistics -> HTTP -> requests
+
        extract objects
+
        follow TCP stream
+
        coloring rules
+
        Statistics -> IPv4 Statistics ->  Destinations and  Ports
+
==CLI==
+
<pre>
+
! tshark -q -z ptype,tree
+
! tshark -q -z io,stat,20,eth -q
+
! tshark -q -z io,stat,20,http -q
+
! tshark -q -z io,stat,20,,"BYTES()http" -q
+
! tshark -q -z http,tree
+
! tshark -q -z http_req,tree
+
! tshark -q -z http_srv,tree
+
create a capture file for icmp
+
! tshark -q -z icmp,srt
+
! tshark -q -z io,phs
+
! tshark -q -z io,stat
+
! tshark -q -z ip_hosts,tree
+
! tshark -q -z plen,tree
+
! tshark -q -z endpoints,eth
+
! tshark -q -z endpoints,eth,
+
! tshark -q -z endpoints,ip
+
! tshark -q -z conv,eth
+
! tshark -q -z conv,udp
+
! tshark -q -z conv,tcp
+
! tshark -q -z conv
+
! tshark -q -z expert,error -q
+
! tshark -q -z expert,note -q
+
</pre>
+
 
+
=DECRYPTING SSL=
+
When a client (for example, a web browser) makes a connection to a web server requiring SSL/TLS encryption - the encrypted channel is setup using a '''symmetric''' session key. This key is a random string generated by the client and then encrypted and transmitted using the servers '''public''' key, known as the ''Pre-master Secret''. Once shared, the client and server use this shared key to encrypt and decrypt traffic.
+
 
+
MacOS users can do: launchctl setenv SSLKEYLOGFILE /tmp/SSLKEYLOGFILE.txt; open -a Applications/Firefox.app
+
 
+
====exercise on decyphering SSL====
+
# <pre>
+
SSLKEYLOGFILE=/tmp/SSLKEYLOGFILE.txt firefox &  tail -f /tmp/SSLKEYLOGFILE.txt
+
</pre>
+
#Navigate to https://google.com
+
#Do some searches
+
#Start capture
+
#Open a new tab and do more searches on google.com
+
#try https://facebook.com or some other web site.
+
 
+
 
+
 
+
SSLKEYLOGFILE variable  works for firefox, chromium and any program built with NSS library (Network Security Services).
+

Revision as of 07:33, 4 February 2016

Come and discuss Home Automation including all things Sensors, Collection, Graphing, Control & Open Hardware. Very loose definition, if you want to talk about anything then just come along!

Time: Friday Lunch (12:20-13:20)
Location: D2.211

[Trent Lloyd] can briefly re-run his lightning talk from open hardware on graphing everything in his house and programming a BLE Bluetooth Low Energy dev board on Linux.

Then let's discuss what everyone else is doing, show off with photos if you have some, etc.

Attendees

If you are coming then please note below and include anything you can talk about, would like to hear about, or just your name to come and enjoy the discussion

  • Trent Lloyd (can talk: graphing, BLE, 20Wh solar wireless sites)
  • (TBC) Cary D (can talk JeeNode Micro)
  • Alastair D'Silva (1 Wire, Domoticz, WigWag)
Birds of a Feather sessions (BoFs)
Autonomous Robots Emacs Ingress Interval Training Kerbal Keysigning Libre Social Media Parallelism Perl Queer Running Taswegian Bibleopoly