Difference between pages "Running BoF" and "Tutorials/Tutorial: Packets don't lie: how can you use tcpdump/tshark (wireshark) to prove your point."

From LCA2016 Delegate wiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
== Daily Running BoF ==
+
===PREREQUISITES===
 +
Please note that this is a tutorial, not a talk.
 +
You should have tcpdump and  wireshark INSTALLED and do some captures BEFORE you come to the tutorial.
 +
To find wireshark packages do something like this:
 +
<pre>
 +
#archlinux
 +
pacman -Ss wireshark tcpdump
 +
#debian
 +
apt-cache search wireshark tcpdump
 +
#fedora
 +
yum search wireshark tcpdump
 +
</pre>
 +
Please install both GUI and CLI packages.
  
Variation Thursday February 4. 6:30am from the bus drop off point at WaterFront campus for Running BoF.
+
Please add the user you are going to run wireshark/tshark as to the 'wireshark' user group.  
Those in town will find it easier to join us for a bugger running BoF group at least one day this week.
+
<pre>
 +
gpasswd -a james wireshark
 +
</pre>
 +
After this user 'james' will need to log out and log in again!
  
A daily running BoF will depart from the Waurn Ponds Residences in CP10 (in front of the tennis courts) at 6am every day.
 
  
There are two nearby running options that get regular traffic. (the tracks around the edge of the campus and the management school. Also the bike path along Waurn Ponds Creek.
+
If that still DOESN'T work,  you might want to add a capability. Do it ONLY if you are still unable to do capture.
 +
<pre>
 +
setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
 +
</pre>
  
Also, depending on numbers, and interest, we may try some further afield trips such as driving to near Torquay to run some of the Surf Coast, walking track, or the beaches (depending on Tides).
+
When finished, have a look around at what files came with the package:
 +
<pre>
 +
tcpdump --version
 +
tshark --version
 +
</pre>
 +
List binaries that came with the packge (example is for archlinux, for rmp-like do 'rpm -ql wireshark', for debian 'dpkg -L wireshark')
 +
<pre>
 +
pacman -Ql wireshark-cli|grep bin
 +
wireshark-cli /usr/bin/androiddump
 +
wireshark-cli /usr/bin/capinfos
 +
wireshark-cli /usr/bin/captype        #same as 'capinfos -t'
 +
wireshark-cli /usr/bin/dftest        #display filter byte-code for debugging
 +
wireshark-cli /usr/bin/dumpcap        #can write files
 +
wireshark-cli /usr/bin/editcap        #snaplenth, or split into multiple based on time, number of packets, adjust time
 +
wireshark-cli /usr/bin/idl2wrs
 +
wireshark-cli /usr/bin/mergecap
 +
wireshark-cli /usr/bin/randpkt        #creates a legitimate EthernetII packet with the given Type field set
 +
wireshark-cli /usr/bin/rawshark      #cannot write files, only to standard output
 +
wireshark-cli /usr/bin/reordercap    #part of the functionality of the editcap
 +
wireshark-cli /usr/bin/text2pcap      #hexdump -> pcap
 +
wireshark-cli /usr/bin/tshark
 +
wireshark-cli /usr/include/wireshark/epan/dissectors/packet-ypbind.h
 +
wireshark-cli /usr/share/wireshark/radius/dictionary.bintec
  
A good example of why we may wish to do that is [http://svana.org/photos/surfcoastcentury2014/websize/p1050258.jpg this photo] taken near Torquay at dawn, during a run (2 years ago).
+
</pre>
  
A few of the regular runners staying in town near waterfront may wish to arrange a split BoF in there.
+
=Capturing=
. 0630 outside waterfront campus
+
====browsing exercise ====
 +
# start capturing
 +
# navigate your browser to linux.conf.au
 +
# navigate your browser to google.com
 +
# navigate your browser to xxxxxxx (your choice)
  
[https://www.strava.com/activities/483804427/embed/1559c9581ac844e1049aff7a5a5b83172f946e8e Tuesday morning run]
+
====have a look at the capture files that you generated====
[https://www.strava.com/activities/484497603/embed/44c453c71c95c01aa8b3351df81a05aec017262a Wednesday morning run]
+
<pre>
 +
capinfos -T *.pcap{,ng}
 +
</pre>
 +
==capture interfaces==
 +
<pre>
 +
tcpdump -D
 +
tshark -D
 +
# try with no interface
 +
tshark
 +
</pre>
  
{{Template:BoF}}
+
=expert info=
 +
==GUI==
 +
        capinfo
 +
        lower bottom corner
 +
                expert info
 +
                file name
 +
                packets, etc
 +
        statistics -> protocol hierarchy
 +
        statistics -> HTTP -> packet counter
 +
        statistics -> HTTP -> requests
 +
        extract objects
 +
        follow TCP stream
 +
        coloring rules
 +
        Statistics -> IPv4 Statistics ->  Destinations and  Ports
 +
==CLI==
 +
<pre>
 +
! tshark -q -z ptype,tree
 +
! tshark -q -z io,stat,20,eth -q
 +
! tshark -q -z io,stat,20,http -q
 +
! tshark -q -z io,stat,20,,"BYTES()http" -q
 +
! tshark -q -z http,tree
 +
! tshark -q -z http_req,tree
 +
! tshark -q -z http_srv,tree
 +
create a capture file for icmp
 +
! tshark -q -z icmp,srt
 +
! tshark -q -z io,phs
 +
! tshark -q -z io,stat
 +
! tshark -q -z ip_hosts,tree
 +
! tshark -q -z plen,tree
 +
! tshark -q -z endpoints,eth
 +
! tshark -q -z endpoints,eth,
 +
! tshark -q -z endpoints,ip
 +
! tshark -q -z conv,eth
 +
! tshark -q -z conv,udp
 +
! tshark -q -z conv,tcp
 +
! tshark -q -z conv
 +
! tshark -q -z expert,error -q
 +
! tshark -q -z expert,note -q
 +
</pre>

Revision as of 13:50, 3 February 2016

PREREQUISITES

Please note that this is a tutorial, not a talk. You should have tcpdump and wireshark INSTALLED and do some captures BEFORE you come to the tutorial. To find wireshark packages do something like this:

#archlinux
pacman -Ss wireshark tcpdump
#debian
apt-cache search wireshark tcpdump
#fedora
yum search wireshark tcpdump

Please install both GUI and CLI packages.

Please add the user you are going to run wireshark/tshark as to the 'wireshark' user group.

gpasswd -a james wireshark

After this user 'james' will need to log out and log in again!


If that still DOESN'T work, you might want to add a capability. Do it ONLY if you are still unable to do capture.

setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

When finished, have a look around at what files came with the package:

tcpdump --version
tshark --version

List binaries that came with the packge (example is for archlinux, for rmp-like do 'rpm -ql wireshark', for debian 'dpkg -L wireshark')

pacman -Ql wireshark-cli|grep bin
wireshark-cli /usr/bin/androiddump
wireshark-cli /usr/bin/capinfos
wireshark-cli /usr/bin/captype        #same as 'capinfos -t'
wireshark-cli /usr/bin/dftest         #display filter byte-code for debugging
wireshark-cli /usr/bin/dumpcap        #can write files
wireshark-cli /usr/bin/editcap        #snaplenth, or split into multiple based on time, number of packets, adjust time
wireshark-cli /usr/bin/idl2wrs
wireshark-cli /usr/bin/mergecap
wireshark-cli /usr/bin/randpkt        #creates a legitimate EthernetII packet with the given Type field set
wireshark-cli /usr/bin/rawshark       #cannot write files, only to standard output
wireshark-cli /usr/bin/reordercap     #part of the functionality of the editcap
wireshark-cli /usr/bin/text2pcap      #hexdump -> pcap
wireshark-cli /usr/bin/tshark
wireshark-cli /usr/include/wireshark/epan/dissectors/packet-ypbind.h
wireshark-cli /usr/share/wireshark/radius/dictionary.bintec

Capturing

browsing exercise

  1. start capturing
  2. navigate your browser to linux.conf.au
  3. navigate your browser to google.com
  4. navigate your browser to xxxxxxx (your choice)

have a look at the capture files that you generated

capinfos -T *.pcap{,ng}

capture interfaces

tcpdump -D
tshark -D
# try with no interface
tshark

expert info

GUI

       capinfo
       lower bottom corner
               expert info
               file name
               packets, etc
       statistics -> protocol hierarchy
       statistics -> HTTP -> packet counter
       statistics -> HTTP -> requests
       extract objects
       follow TCP stream
       coloring rules
       Statistics -> IPv4 Statistics ->  Destinations and  Ports

CLI

! tshark -q -z ptype,tree
! tshark -q -z io,stat,20,eth -q
! tshark -q -z io,stat,20,http -q
! tshark -q -z io,stat,20,,"BYTES()http" -q
! tshark -q -z http,tree
! tshark -q -z http_req,tree
! tshark -q -z http_srv,tree
create a capture file for icmp
! tshark -q -z icmp,srt
! tshark -q -z io,phs
! tshark -q -z io,stat
! tshark -q -z ip_hosts,tree
! tshark -q -z plen,tree
! tshark -q -z endpoints,eth
! tshark -q -z endpoints,eth,
! tshark -q -z endpoints,ip
! tshark -q -z conv,eth
! tshark -q -z conv,udp
! tshark -q -z conv,tcp
! tshark -q -z conv
! tshark -q -z expert,error -q
! tshark -q -z expert,note -q