Difference between pages "Tutorials/Tutorial: Packets don't lie: how can you use tcpdump/tshark (wireshark) to prove your point." and "Kerbal BoF"

From LCA2016 Delegate wiki
(Difference between pages)
Jump to: navigation, search
(extra)
 
(Room: D2.193)
 
Line 1: Line 1:
===PREREQUISITES===
+
[[File:Kerbal-LCA2016.jpg|thumb|Alt=LCA2016 Spaceship|LCA2016 is going to space today!]]
Please note that this is a tutorial, not a talk.
+
You should have tcpdump and  wireshark INSTALLED and do some captures BEFORE you come to the tutorial.
+
To find wireshark packages do something like this:
+
<pre>
+
#archlinux
+
pacman -Ss wireshark tcpdump
+
#debian
+
apt-cache search wireshark tcpdump
+
#fedora
+
yum search wireshark tcpdump
+
</pre>
+
Please install both GUI and CLI packages.
+
  
Please add the user you are going to run wireshark/tshark as to the 'wireshark' user group.
+
== Description ==
<pre>
+
gpasswd -a james wireshark
+
</pre>
+
After this user 'james' will need to log out and log in again!
+
  
 +
For Players, developers, modders, and those who are curious about [https://kerbalspaceprogram.com/ Kerbal Space Program]. General space nerdery is encouraged!
  
If that still DOESN'T work,  you might want to add a capability. Do it ONLY if you are still unable to do capture.
+
== Organiser ==
<pre>
+
setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
+
</pre>
+
  
When finished, have a look around at what files came with the package:
+
This is an open organisation event! While [[User:Paul.j.fenwick@gmail.com|pjf]] created the page, you are encouraged to '''be bold''' and expand on activities, events, resources, and anything else you feel needs doing!
<pre>
+
tcpdump --version
+
tshark --version
+
</pre>
+
List binaries that came with the packge (example is for archlinux, for rmp-like do 'rpm -ql wireshark', for debian 'dpkg -L wireshark')
+
<pre>
+
pacman -Ql wireshark-cli|grep bin
+
wireshark-cli /usr/bin/androiddump
+
wireshark-cli /usr/bin/capinfos
+
wireshark-cli /usr/bin/captype        #same as 'capinfos -t'
+
wireshark-cli /usr/bin/dftest        #display filter byte-code for debugging
+
wireshark-cli /usr/bin/dumpcap        #can write files
+
wireshark-cli /usr/bin/editcap        #snaplenth, or split into multiple based on time, number of packets, adjust time
+
wireshark-cli /usr/bin/idl2wrs
+
wireshark-cli /usr/bin/mergecap
+
wireshark-cli /usr/bin/randpkt        #creates a legitimate EthernetII packet with the given Type field set
+
wireshark-cli /usr/bin/rawshark      #cannot write files, only to standard output
+
wireshark-cli /usr/bin/reordercap    #part of the functionality of the editcap
+
wireshark-cli /usr/bin/text2pcap      #hexdump -> pcap
+
wireshark-cli /usr/bin/tshark
+
wireshark-cli /usr/include/wireshark/epan/dissectors/packet-ypbind.h
+
wireshark-cli /usr/share/wireshark/radius/dictionary.bintec
+
  
</pre>
+
== Scheduled Events ==
  
=Capturing=
+
* 17:20 – 18:00(ish) Wednesday - D2.193 - The Kerbal BoF!
====browsing exercise ====
+
# start capturing
+
# navigate your browser to linux.conf.au
+
# navigate your browser to google.com
+
# navigate your browser to xxxxxxx (your choice)
+
  
====have a look at the capture files that you generated====
+
== Unscheduled Events ==
<pre>
+
capinfos -T *.pcap{,ng}
+
</pre>
+
==capture interfaces==
+
<pre>
+
tcpdump -D
+
tshark -D
+
# try with no interface
+
tshark
+
</pre>
+
  
==capturing on the CLI==
+
* I'm currently trying to enhance the [http://forum.kerbalspaceprogram.com/index.php?/topic/60281-hardware-plugin-arduino-based-physical-display-serial-port-io-tutorial-06-jun/ KSPSerialIO] plugin to send enough data to display prograde/radial/normal/target etc icons on an external navball. Keen to talk a little about how frames of reference work in KSP, and what I've learnt and what hasn't worked trying to get this done. Also write more C# code. - [[User:Peter@hardy.dropbear.id.au|Peter Hardy]]
 +
* I brought my KSP control panel to LCA! Bringing it on campus on Monday afternoon for the open hardware miniconf, and can't really manage to do it again on Wednesday. But I'd love to run it for folk interested to try it out back at the Waurn Ponds residence on <strike>Wednesday evening</strike> some non-penguin-dinner evening. - [[User:Peter@hardy.dropbear.id.au|Peter Hardy]]
  
tcpdump can autostop after certain number of packets has been captured. tshark has addinionally duration, filesize and number of files autostop conditions.
+
== Attendees ==
What if we want to have a permanent capture running and keep last N days of the logs?
+
<pre>
+
tshark -b duration:2 -n -wevery2sec.pcapng & watch -n 1 ls -l
+
tshark -b duration:2 -n -wevery2sec.pcapng -a files:5  & watch -n1 ls -l
+
tshark -b duration:3600 -n -weveryHour.pcapng -b files:24
+
tshark -a filesize:1024 -n -w1MiB.pcapng
+
</pre>
+
=expert info=
+
==GUI==
+
-r <pcap file>
+
-J  <jump filter>
+
          After reading in a capture file using the -r flag, jump to the packet matching the filter (display
+
          filter syntax).  If no exact match is found the first packet after that is selected.
+
  
        capinfo
+
* [[User:Paul.j.fenwick@gmail.com|Paul Fenwick]] (Founder of the Comprehensive Kerbal Archive Network, co-author of The Kerbal Book)
        lower bottom corner
+
* [[User:Peter@hardy.dropbear.id.au|Peter Hardy]] - Occasional plugin contributor, builds Kerbalish hardware.
                expert info
+
* [[User:Charcol.1900@gmail.com|Charelle Collett]]
                file name
+
* [[User:john@johndalton.info|John Dalton]]
                packets, etc
+
* Paris Buttfield-Addison
        statistics -> protocol hierarchy
+
* Jon Manning
        statistics -> HTTP -> packet counter
+
* Stephen Edmonds - really interested, but knows that time needs to be spent on other things :(
        statistics -> HTTP -> requests
+
* [[User:jessica@itgrrl.com|Jessica Smith]] - space nerd, KSP n00b
        extract objects
+
* Paul Bone (KSP is a major reason why I don't get anything done)
        follow TCP stream
+
        coloring rules
+
        Statistics -> IPv4 Statistics ->  Destinations and  Ports
+
fields
+
    delta time
+
   
+
==CLI==
+
<pre>
+
! tshark -q -z ptype,tree
+
! tshark -q -z io,stat,20,eth -q
+
! tshark -q -z io,stat,20,http -q
+
! tshark -q -z io,stat,20,,"BYTES()http" -q
+
! tshark -q -z http,tree
+
! tshark -q -z http_req,tree
+
! tshark -q -z http_srv,tree
+
create a capture file for icmp
+
! tshark -q -z icmp,srt
+
! tshark -q -z io,phs
+
! tshark -q -z io,stat
+
! tshark -q -z ip_hosts,tree
+
! tshark -q -z plen,tree
+
! tshark -q -z endpoints,eth
+
! tshark -q -z endpoints,eth,
+
! tshark -q -z endpoints,ip
+
! tshark -q -z conv,eth
+
! tshark -q -z conv,udp
+
! tshark -q -z conv,tcp
+
! tshark -q -z conv
+
! tshark -q -z expert,error -q
+
! tshark -q -z expert,note -q
+
</pre>
+
  
=DECRYPTING SSL=
 
When a client (for example, a web browser) makes a connection to a web server requiring SSL/TLS encryption - the encrypted channel is setup using a '''symmetric''' session key. This key is a random string generated by the client and then encrypted and transmitted using the servers '''public''' key, known as the ''Pre-master Secret''. Once shared, the client and server use this shared key to encrypt and decrypt traffic.
 
  
MacOS users can do: launchctl setenv SSLKEYLOGFILE /tmp/SSLKEYLOGFILE.txt; open -a Applications/Firefox.app
+
{{Template:BoF}}
 
+
====exercise on decyphering SSL====
+
# <pre>
+
SSLKEYLOGFILE=/tmp/SSLKEYLOGFILE.txt firefox &  tail -f /tmp/SSLKEYLOGFILE.txt
+
</pre>
+
#Navigate to https://google.com
+
#Do some searches
+
#Start capture
+
#Open a new tab and do more searches on google.com
+
#try https://facebook.com or some other web site.
+
 
+
 
+
SSLKEYLOGFILE variable  works for firefox, chromium and any program built with NSS library (Network Security Services).
+
 
+
==display filter==
+
<pre>
+
sack
+
http
+
        ip.src==1.1.1.1 &&      tcp.analysis.retransmission or tcp.analysis.fast_retransmission
+
        http.time >= 0.4
+
        tcp.analysis.rto >= 0.050
+
        http.request.uri == "https://www.wireshark.org/"
+
        http.response.code == 500
+
        tcp.port in {80 443 8080}
+
        #the above is same as:
+
        tcp.port == 80 || tcp.port == 443 || tcp.port == 8080
+
        _ws.expert.severity >= warn
+
                0x1      ok
+
                0x100000 comment
+
                0x200000 chat
+
                0x400000 note
+
                0x600000 warn
+
                0x800000 error
+
 
+
tshark -r /var/tmp/aros.pcapng -e frame.number -e ip.src -e ip.dst -Tfields
+
tshark -r /srv/http/TCP_SACK.cap  -Y frame.number==29 -V
+
tshark -r TCP_SACK.cap -Y 'frame.number>=10' -Y 'frame.number<=15'
+
</pre>
+
==columns==
+
<pre>
+
tshark -r http.pcapng -z follow,tcp,hex,1
+
tshark -e ip.addr -e tcp.window_size -Tfields
+
tshark -r http.pcapng -z follow,tcp,hex,127.0.0.1:59544,127.0.0.1:80
+
tshark -r /srv/http/TCP_SACK.cap  -Tfields -e frame.number -e frame.time_epoch -e ip.src -e ip.dst -e tcp.seq -e tcp.len -e tcp.nxtseq -e tcp.ack  -e tcp.analysis.ack_rtt
+
tshark -r /srv/http/TCP_SACK.cap  -Tfields -e frame.number -e frame.time_epoch -e ip.src -e ip.dst -e tcp.seq -e tcp.len -e tcp.nxtseq -e tcp.ack  -e  tcp.options.sack_le -e tcp.options.sack_re
+
</pre>
+
 
+
=extra=
+
<pre>
+
-d tcp.port==8888,http
+
</pre>
+
disable protocols
+

Revision as of 15:51, 3 February 2016

LCA2016 is going to space today!

Description

For Players, developers, modders, and those who are curious about Kerbal Space Program. General space nerdery is encouraged!

Organiser

This is an open organisation event! While pjf created the page, you are encouraged to be bold and expand on activities, events, resources, and anything else you feel needs doing!

Scheduled Events

  • 17:20 – 18:00(ish) Wednesday - D2.193 - The Kerbal BoF!

Unscheduled Events

  • I'm currently trying to enhance the KSPSerialIO plugin to send enough data to display prograde/radial/normal/target etc icons on an external navball. Keen to talk a little about how frames of reference work in KSP, and what I've learnt and what hasn't worked trying to get this done. Also write more C# code. - Peter Hardy
  • I brought my KSP control panel to LCA! Bringing it on campus on Monday afternoon for the open hardware miniconf, and can't really manage to do it again on Wednesday. But I'd love to run it for folk interested to try it out back at the Waurn Ponds residence on Wednesday evening some non-penguin-dinner evening. - Peter Hardy

Attendees

  • Paul Fenwick (Founder of the Comprehensive Kerbal Archive Network, co-author of The Kerbal Book)
  • Peter Hardy - Occasional plugin contributor, builds Kerbalish hardware.
  • Charelle Collett
  • John Dalton
  • Paris Buttfield-Addison
  • Jon Manning
  • Stephen Edmonds - really interested, but knows that time needs to be spent on other things :(
  • Jessica Smith - space nerd, KSP n00b
  • Paul Bone (KSP is a major reason why I don't get anything done)


Birds of a Feather sessions (BoFs)
Autonomous Robots Emacs Ingress Interval Training Kerbal Keysigning Libre Social Media Parallelism Perl Queer Running Taswegian Bibleopoly