Difference between pages "Unprofessional Delegates Networking Session (UnPDNS)" and "Tutorials/Tutorial: Packets don't lie: how can you use tcpdump/tshark (wireshark) to prove your point."

From LCA2016 Delegate wiki
(Difference between pages)
Jump to: navigation, search
(Added myself)
 
 
Line 1: Line 1:
The seventh annual (except for the year we couldn't be bothered to get up for breakfast) unprofessional delegates networking session will be running on Tuesday evening.  
+
===PREREQUISITES===
 +
Please note that this is a tutorial, not a talk.
 +
You should have tcpdump and  wireshark INSTALLED and do some captures BEFORE you come to the tutorial.
 +
To find wireshark packages do something like this:
 +
<pre>
 +
#archlinux
 +
pacman -Ss wireshark tcpdump
 +
#debian
 +
apt-cache search wireshark tcpdump
 +
#fedora
 +
yum search wireshark tcpdump
 +
</pre>
 +
Please install both GUI and CLI packages.
  
* '''When''': Tuesday night (when the PDNS is on). We'll be there by 6; food will probably start being edible between 6:30 and 7. (Unless you're a werewolf, of course.)
+
Please add the user you are going to run wireshark/tshark as to the 'wireshark' user group.  
* '''Where''': [https://goo.gl/maps/i36iDMb8sNS2 Eastern Beach Reserve], just before the Beach House.
+
<pre>
* '''What''': As is traditional, a barbecue! We'll be selling barbecued food and soft drinks.
+
gpasswd -a james wireshark
** '''Food''': Barbequed food, with both carnivore and herbivore options, probably wrapped in a bread product. Possibly some sort of salad. We'll see. $5/head.
+
</pre>
** '''Soft Drink''': Coke, Coke Zero, Solo, Lemonade. $1/can.
+
After this user 'james' will need to log out and log in again!
** '''Alcohol''': '''Strictly BYO only'''; selling alcohol is in contravention of various state and city laws, and we're too pretty for jail. Note that Geelong City Council laws do not permit alchol consumption after sunset — try to plan to be done about 8:40. (You can always move on elsewhere, of course.)
+
** All (any?) profits will benefit the conference charity: [https://givewhereyoulive.com.au/ Give Where You Live].
+
  
= Attendance =
 
  
Please add your name so that we know how much food to buy. If you are vegetarian or vegan, please add a '''(V)''' or some other note below so that we buy enough vegetarian food!
+
If that still DOESN'T work,  you might want to add a capability. Do it ONLY if you are still unable to do capture.
 +
<pre>
 +
setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
 +
</pre>
  
# [https://twitter.com/chrisjrn Christopher Neugebauer] (runs the UnPDNS, but refuses to acknowledge it)
+
When finished, have a look around at what files came with the package:
# [https://twitter.com/LGnome Adam Harvey] (will probably be collecting money)
+
<pre>
# [https://twitter.com/theskorm Michael Wheeler](will probably eat food and stuff)
+
tcpdump --version
# [https://twitter.com/glasnt Katie McLaughlin] (bracket note goes here)
+
tshark --version
# [https://twitter.com/JackScottAU Jack Scott]
+
</pre>
# [https://twitter.com/lathiat Trent Lloyd]
+
List binaries that came with the packge (example is for archlinux, for rmp-like do 'rpm -ql wireshark', for debian 'dpkg -L wireshark')
# Simon Green
+
<pre>
# Glenn McIntosh
+
pacman -Ql wireshark-cli|grep bin
# [https://twitter.com/sridhardha Sridhar Dhanapalan]
+
wireshark-cli /usr/bin/androiddump
# Paul Bone
+
wireshark-cli /usr/bin/capinfos
# [https://twitter.com/jaimekristene Jaime Schmidt] ( & Arthur & Oliver - baby & Jasmine)
+
wireshark-cli /usr/bin/captype        #same as 'capinfos -t'
# Evan McLean (pithy comment redacted)
+
wireshark-cli /usr/bin/dftest        #display filter byte-code for debugging
# [https://twitter.com/popcorncx Stephen Edmonds] (happy to wield implements)
+
wireshark-cli /usr/bin/dumpcap        #can write files
# Bernard Blackham
+
wireshark-cli /usr/bin/editcap        #snaplenth, or split into multiple based on time, number of packets, adjust time
# [https://twitter.com/rstuart85 Ryan Stuart] (will be recruiting people for the [[Interval Training BoF]])
+
wireshark-cli /usr/bin/idl2wrs
# [https://scriptforge.org/faulteh Scott Bragg]
+
wireshark-cli /usr/bin/mergecap
# [https://linux.conf.au/wiki/User:Benball@benball.net Ben Ball]
+
wireshark-cli /usr/bin/randpkt        #creates a legitimate EthernetII packet with the given Type field set
# [https://twitter.com/Ducky_tape ducky]
+
wireshark-cli /usr/bin/rawshark      #cannot write files, only to standard output
# Cary D
+
wireshark-cli /usr/bin/reordercap    #part of the functionality of the editcap
# [https://twitter.com/joeladdison Joel Addison]
+
wireshark-cli /usr/bin/text2pcap      #hexdump -> pcap
# [[User:mikef-lca@cyber.com.au|Mike Abrahall]]
+
wireshark-cli /usr/bin/tshark
[[Category:Events]]
+
wireshark-cli /usr/include/wireshark/epan/dissectors/packet-ypbind.h
 +
wireshark-cli /usr/share/wireshark/radius/dictionary.bintec
 +
 
 +
</pre>
 +
 
 +
=Capturing=
 +
====browsing exercise ====
 +
# start capturing
 +
# navigate your browser to linux.conf.au
 +
# navigate your browser to google.com
 +
# navigate your browser to xxxxxxx (your choice)
 +
 
 +
====have a look at the capture files that you generated====
 +
<pre>
 +
capinfos -T *.pcap{,ng}
 +
</pre>
 +
==capture interfaces==
 +
<pre>
 +
tcpdump -D
 +
tshark -D
 +
# try with no interface
 +
tshark
 +
</pre>
 +
 
 +
=expert info=
 +
==GUI==
 +
        capinfo
 +
        lower bottom corner
 +
                expert info
 +
                file name
 +
                packets, etc
 +
        statistics -> protocol hierarchy
 +
        statistics -> HTTP -> packet counter
 +
        statistics -> HTTP -> requests
 +
        extract objects
 +
        follow TCP stream
 +
        coloring rules
 +
        Statistics -> IPv4 Statistics ->  Destinations and  Ports
 +
==CLI==
 +
<pre>
 +
! tshark -q -z ptype,tree
 +
! tshark -q -z io,stat,20,eth -q
 +
! tshark -q -z io,stat,20,http -q
 +
! tshark -q -z io,stat,20,,"BYTES()http" -q
 +
! tshark -q -z http,tree
 +
! tshark -q -z http_req,tree
 +
! tshark -q -z http_srv,tree
 +
create a capture file for icmp
 +
! tshark -q -z icmp,srt
 +
! tshark -q -z io,phs
 +
! tshark -q -z io,stat
 +
! tshark -q -z ip_hosts,tree
 +
! tshark -q -z plen,tree
 +
! tshark -q -z endpoints,eth
 +
! tshark -q -z endpoints,eth,
 +
! tshark -q -z endpoints,ip
 +
! tshark -q -z conv,eth
 +
! tshark -q -z conv,udp
 +
! tshark -q -z conv,tcp
 +
! tshark -q -z conv
 +
! tshark -q -z expert,error -q
 +
! tshark -q -z expert,note -q
 +
</pre>

Revision as of 13:50, 3 February 2016

PREREQUISITES

Please note that this is a tutorial, not a talk. You should have tcpdump and wireshark INSTALLED and do some captures BEFORE you come to the tutorial. To find wireshark packages do something like this:

#archlinux
pacman -Ss wireshark tcpdump
#debian
apt-cache search wireshark tcpdump
#fedora
yum search wireshark tcpdump

Please install both GUI and CLI packages.

Please add the user you are going to run wireshark/tshark as to the 'wireshark' user group.

gpasswd -a james wireshark

After this user 'james' will need to log out and log in again!


If that still DOESN'T work, you might want to add a capability. Do it ONLY if you are still unable to do capture.

setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

When finished, have a look around at what files came with the package:

tcpdump --version
tshark --version

List binaries that came with the packge (example is for archlinux, for rmp-like do 'rpm -ql wireshark', for debian 'dpkg -L wireshark')

pacman -Ql wireshark-cli|grep bin
wireshark-cli /usr/bin/androiddump
wireshark-cli /usr/bin/capinfos
wireshark-cli /usr/bin/captype        #same as 'capinfos -t'
wireshark-cli /usr/bin/dftest         #display filter byte-code for debugging
wireshark-cli /usr/bin/dumpcap        #can write files
wireshark-cli /usr/bin/editcap        #snaplenth, or split into multiple based on time, number of packets, adjust time
wireshark-cli /usr/bin/idl2wrs
wireshark-cli /usr/bin/mergecap
wireshark-cli /usr/bin/randpkt        #creates a legitimate EthernetII packet with the given Type field set
wireshark-cli /usr/bin/rawshark       #cannot write files, only to standard output
wireshark-cli /usr/bin/reordercap     #part of the functionality of the editcap
wireshark-cli /usr/bin/text2pcap      #hexdump -> pcap
wireshark-cli /usr/bin/tshark
wireshark-cli /usr/include/wireshark/epan/dissectors/packet-ypbind.h
wireshark-cli /usr/share/wireshark/radius/dictionary.bintec

Capturing

browsing exercise

  1. start capturing
  2. navigate your browser to linux.conf.au
  3. navigate your browser to google.com
  4. navigate your browser to xxxxxxx (your choice)

have a look at the capture files that you generated

capinfos -T *.pcap{,ng}

capture interfaces

tcpdump -D
tshark -D
# try with no interface
tshark

expert info

GUI

       capinfo
       lower bottom corner
               expert info
               file name
               packets, etc
       statistics -> protocol hierarchy
       statistics -> HTTP -> packet counter
       statistics -> HTTP -> requests
       extract objects
       follow TCP stream
       coloring rules
       Statistics -> IPv4 Statistics ->  Destinations and  Ports

CLI

! tshark -q -z ptype,tree
! tshark -q -z io,stat,20,eth -q
! tshark -q -z io,stat,20,http -q
! tshark -q -z io,stat,20,,"BYTES()http" -q
! tshark -q -z http,tree
! tshark -q -z http_req,tree
! tshark -q -z http_srv,tree
create a capture file for icmp
! tshark -q -z icmp,srt
! tshark -q -z io,phs
! tshark -q -z io,stat
! tshark -q -z ip_hosts,tree
! tshark -q -z plen,tree
! tshark -q -z endpoints,eth
! tshark -q -z endpoints,eth,
! tshark -q -z endpoints,ip
! tshark -q -z conv,eth
! tshark -q -z conv,udp
! tshark -q -z conv,tcp
! tshark -q -z conv
! tshark -q -z expert,error -q
! tshark -q -z expert,note -q