Difference between pages "Tutorials/Tutorial: Packets don't lie: how can you use tcpdump/tshark (wireshark) to prove your point." and "Birds of a Feather sessions (BoFs)"

From LCA2016 Delegate wiki
(Difference between pages)
Jump to: navigation, search
(extra)
 
(Keep Talking added for Thursday afternoon)
 
Line 1: Line 1:
===PREREQUISITES===
+
== Birds of a Feather (BoF) Sessions ==
Please note that this is a tutorial, not a talk.
+
You should have tcpdump and  wireshark INSTALLED and do some captures BEFORE you come to the tutorial.
+
To find wireshark packages do something like this:
+
<pre>
+
#archlinux
+
pacman -Ss wireshark tcpdump
+
#debian
+
apt-cache search wireshark tcpdump
+
#fedora
+
yum search wireshark tcpdump
+
</pre>
+
Please install both GUI and CLI packages.
+
  
Please add the user you are going to run wireshark/tshark as to the 'wireshark' user group.  
+
Although not an official social event of the Conference, Birds of a Feather - or BoFs as they are known - allow Delegates to meet around a particular topic or interest. BoFs usually occur during lunchtime, or after the main Conference presentations for the day.  
<pre>
+
gpasswd -a james wireshark
+
</pre>
+
After this user 'james' will need to log out and log in again!
+
  
 +
==== Instructions ====
 +
Edit the table below to claim a BoF, and provide a way for people to contact you.
 +
''Rooms will be added later.'' See also: [[mw:Help:Tables|Tables Help]].
  
If that still DOESN'T work,  you might want to add a capability. Do it ONLY if you are still unable to do capture.
+
{| class="wikitable" style="text-align:center"
<pre>
+
<!-- Table Headers -->
setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
+
|+Birds of a Feather (BoF) Sessions
</pre>
+
!
 +
!Monday 1st Feb
 +
!Tuesday 2nd Feb
 +
!Wednesday 3rd Feb
 +
!Thursday 4th Feb
 +
!Friday 5th Feb
  
When finished, have a look around at what files came with the package:
+
|-
<pre>
+
! Early birds
tcpdump --version
+
06:00
tshark --version
+
<!-- Mon -->
</pre>
+
| [[Running BoF]]
List binaries that came with the packge (example is for archlinux, for rmp-like do 'rpm -ql wireshark', for debian 'dpkg -L wireshark')
+
<!-- Tue -->
<pre>
+
| [[Running BoF]]
pacman -Ql wireshark-cli|grep bin
+
<!-- Wed -->
wireshark-cli /usr/bin/androiddump
+
| [[Running BoF]]
wireshark-cli /usr/bin/capinfos
+
<!-- Thu -->
wireshark-cli /usr/bin/captype        #same as 'capinfos -t'
+
| [[Running BoF]]
wireshark-cli /usr/bin/dftest        #display filter byte-code for debugging
+
<!-- Fri -->
wireshark-cli /usr/bin/dumpcap        #can write files
+
| [[Running BoF]]
wireshark-cli /usr/bin/editcap        #snaplenth, or split into multiple based on time, number of packets, adjust time
+
|-
wireshark-cli /usr/bin/idl2wrs
+
! Not-as-Early birds
wireshark-cli /usr/bin/mergecap
+
07:00
wireshark-cli /usr/bin/randpkt        #creates a legitimate EthernetII packet with the given Type field set
+
<!-- Mon -->
wireshark-cli /usr/bin/rawshark      #cannot write files, only to standard output
+
| [[Interval Training BoF]]
wireshark-cli /usr/bin/reordercap    #part of the functionality of the editcap
+
<!-- Tue -->
wireshark-cli /usr/bin/text2pcap      #hexdump -> pcap
+
| [[Interval Training BoF]]
wireshark-cli /usr/bin/tshark
+
<!-- Wed -->
wireshark-cli /usr/include/wireshark/epan/dissectors/packet-ypbind.h
+
| [[Interval Training BoF]]
wireshark-cli /usr/share/wireshark/radius/dictionary.bintec
+
<!-- Thu -->
 +
| [[Interval Training BoF]]
 +
<!-- Fri -->
 +
| [[Interval Training BoF]]
  
</pre>
+
<!-- Keynote Speakers -->
 +
|- style="background-color: #f2f2f2;text-align:center;"
 +
! 09:00
 +
| Opening
 +
| scope="row" colspan="4" |Keynote Speakers
  
=Capturing=
+
|-
====browsing exercise ====
+
! Morning Tea
# start capturing
+
10:00—10:40
# navigate your browser to linux.conf.au
+
<!--Mon-->
# navigate your browser to google.com
+
|Session
# navigate your browser to xxxxxxx (your choice)
+
<!--Tue-->
 +
|Session
 +
<!--Wed-->
 +
|Session
 +
<!--Thu-->
 +
|Session
 +
<!--Fri-->
 +
|Session
  
====have a look at the capture files that you generated====
+
<!-- Regular Schedule -->
<pre>
+
|- style="background-color: #f2f2f2;text-align:center;"
capinfos -T *.pcap{,ng}
+
|scope="row" colspan="6" | Regular Schedule
</pre>
+
==capture interfaces==
+
<pre>
+
tcpdump -D
+
tshark -D
+
# try with no interface
+
tshark
+
</pre>
+
  
==capturing on the CLI==
+
|-
 +
!Lunch Break
 +
12:20—13:20
 +
<!--Mon-->
 +
|[[Queer BoF]]
 +
<!--Tue-->
 +
|[[Perl BoF]] D2.193 <p> [[Autonomous Robots BoF]] D.211
 +
<!--Wed-->
 +
|[[Emacs BoF]] D2.193 <br/> [[Safer Payments BoF]] D.211
 +
Exploding kittens bof- student lounge
 +
<br/>Cards Against Humanity BoF D.211
 +
<!--Thu-->supoort
 +
|[[Ladies' Lunch]]
 +
[[Debian Lunch]] @ Dennys?
 +
<br/>Cards Against Humanity BoF - D.211
 +
<!--Fri-->
 +
|[[Conservancy supporters|Software Freedom Conservancy supporters lunch]] - meet near rego
 +
[[Hackerspace BoF]] - D2. 193 How to run one and support.
  
tcpdump can autostop after certain number of packets has been captured. tshark has addinionally duration, filesize and number of files autostop conditions.
+
[[Home Automation BoF]] (D2.211 - incl. Sensors & Open Hardware)
What if we want to have a permanent capture running and keep last N days of the logs?
+
<pre>
+
tshark -b duration:2 -n -wevery2sec.pcapng & watch -n 1 ls -l
+
tshark -b duration:2 -n -wevery2sec.pcapng -a files:5  & watch -n1 ls -l
+
tshark -b duration:3600 -n -weveryHour.pcapng -b files:24
+
tshark -a filesize:1024 -n -w1MiB.pcapng
+
</pre>
+
=expert info=
+
==GUI==
+
-r <pcap file>
+
-J  <jump filter>
+
          After reading in a capture file using the -r flag, jump to the packet matching the filter (display
+
          filter syntax).  If no exact match is found the first packet after that is selected.
+
  
        capinfo
+
<!-- Regular Schedule -->
        lower bottom corner
+
|- style="background-color: #f2f2f2;text-align:center;"
                expert info
+
|scope="row" colspan="6"|Regular Schedule
                file name
+
                packets, etc
+
        statistics -> protocol hierarchy
+
        statistics -> HTTP -> packet counter
+
        statistics -> HTTP -> requests
+
        extract objects
+
        follow TCP stream
+
        coloring rules
+
        Statistics -> IPv4 Statistics ->  Destinations and  Ports
+
fields
+
    delta time
+
   
+
==CLI==
+
<pre>
+
! tshark -q -z ptype,tree
+
! tshark -q -z io,stat,20,eth -q
+
! tshark -q -z io,stat,20,http -q
+
! tshark -q -z io,stat,20,,"BYTES()http" -q
+
! tshark -q -z http,tree
+
! tshark -q -z http_req,tree
+
! tshark -q -z http_srv,tree
+
create a capture file for icmp
+
! tshark -q -z icmp,srt
+
! tshark -q -z io,phs
+
! tshark -q -z io,stat
+
! tshark -q -z ip_hosts,tree
+
! tshark -q -z plen,tree
+
! tshark -q -z endpoints,eth
+
! tshark -q -z endpoints,eth,
+
! tshark -q -z endpoints,ip
+
! tshark -q -z conv,eth
+
! tshark -q -z conv,udp
+
! tshark -q -z conv,tcp
+
! tshark -q -z conv
+
! tshark -q -z expert,error -q
+
! tshark -q -z expert,note -q
+
</pre>
+
  
=DECRYPTING SSL=
+
|-
When a client (for example, a web browser) makes a connection to a web server requiring SSL/TLS encryption - the encrypted channel is setup using a '''symmetric''' session key. This key is a random string generated by the client and then encrypted and transmitted using the servers '''public''' key, known as the ''Pre-master Secret''. Once shared, the client and server use this shared key to encrypt and decrypt traffic.
+
!Afternoon Tea
 +
15:00—15:40
 +
<!--Mon-->
 +
|Session
 +
<!--Tue-->
 +
|Session
 +
<!--Wed-->
 +
|[[BlueHackers BoF]] D2.193
 +
<!--Thu-->
 +
|[[Jobs Page|Jobs BoF]] D.211
 +
Keep Talking and Nobody Explodes (Unallocated)
 +
<!--Fri-->
 +
|[https://www.rust-lang.org/ Rust Language] BoF (D2.193?)
  
MacOS users can do: launchctl setenv SSLKEYLOGFILE /tmp/SSLKEYLOGFILE.txt; open -a Applications/Firefox.app
+
<!-- Regular Schedule -->
 +
|- style="background-color: #f2f2f2;text-align:center;"
 +
|scope="row" colspan="5" |Regular Schedule
 +
|[[Lightning_talks|LightningTalks]] & Closing
  
====exercise on decyphering SSL====
+
|-
# <pre>
+
!Evening
SSLKEYLOGFILE=/tmp/SSLKEYLOGFILE.txt firefox & tail -f /tmp/SSLKEYLOGFILE.txt
+
17:20—
</pre>
+
<!--Mon-->
#Navigate to https://google.com
+
|[[Ingress BoF]] D.192
#Do some searches
+
[[Libre Instant Messaging and Social Media BoF|Libre IM & Social BoF]] D2.211
#Start capture
+
<!--Tue-->
#Open a new tab and do more searches on google.com
+
|[[Keysigning bof|Keysigning BoF]] D2.211
#try https://facebook.com or some other web site.
+
<!--Wed-->
 +
|[[Kerbal BoF]] D2.193
 +
<!--Thu-->
 +
|[[Parallelism and Concurrency BoF]] D2.193
 +
[[Factorio BoF|Factorio BoF]]
 +
<!--Fri-->
 +
|Session
  
 +
<!-- Regular Schedule -->
 +
|- style="background-color: #f2f2f2;text-align:center;"
 +
!18:00—
 +
<!--Mon-->
 +
|[[LA AGM]] D.193
 +
<!--Tue-->
 +
|[[Professional Delegates Networking Session (PDNS)|PDNS]]
 +
<!--Wed-->
 +
|[[Penguin Dinner]]
 +
<!--Thu-->
 +
|[[Speakers' Dinner]]
 +
<!--Fri-->
 +
|[[EFA Drinks]]
 +
|}
  
SSLKEYLOGFILE variable  works for firefox, chromium and any program built with NSS library (Network Security Services).
 
  
==display filter==
+
Unscheduled sessions:
<pre>
+
{{Template:Navigation}}
sack
+
http
+
        ip.src==1.1.1.1 &&      tcp.analysis.retransmission or tcp.analysis.fast_retransmission
+
        http.time >= 0.4
+
        tcp.analysis.rto >= 0.050
+
        http.request.uri == "https://www.wireshark.org/"
+
        http.response.code == 500
+
        tcp.port in {80 443 8080}
+
        #the above is same as:
+
        tcp.port == 80 || tcp.port == 443 || tcp.port == 8080
+
        _ws.expert.severity >= warn
+
                0x1      ok
+
                0x100000 comment
+
                0x200000 chat
+
                0x400000 note
+
                0x600000 warn
+
                0x800000 error
+
  
tshark -r /var/tmp/aros.pcapng -e frame.number -e ip.src -e ip.dst -Tfields
+
{{BoF}}
tshark -r /srv/http/TCP_SACK.cap  -Y frame.number==29 -V
+
tshark -r TCP_SACK.cap -Y 'frame.number>=10' -Y 'frame.number<=15'
+
</pre>
+
==columns==
+
<pre>
+
tshark -r http.pcapng -z follow,tcp,hex,1
+
tshark -e ip.addr -e tcp.window_size -Tfields
+
tshark -r http.pcapng -z follow,tcp,hex,127.0.0.1:59544,127.0.0.1:80
+
tshark -r /srv/http/TCP_SACK.cap  -Tfields -e frame.number -e frame.time_epoch -e ip.src -e ip.dst -e tcp.seq -e tcp.len -e tcp.nxtseq -e tcp.ack  -e tcp.analysis.ack_rtt
+
tshark -r /srv/http/TCP_SACK.cap  -Tfields -e frame.number -e frame.time_epoch -e ip.src -e ip.dst -e tcp.seq -e tcp.len -e tcp.nxtseq -e tcp.ack  -e  tcp.options.sack_le -e tcp.options.sack_re
+
</pre>
+
  
=extra=
+
[[Category:Events]]
<pre>
+
-d tcp.port==8888,http
+
</pre>
+
disable protocols
+

Revision as of 09:40, 4 February 2016

Birds of a Feather (BoF) Sessions

Although not an official social event of the Conference, Birds of a Feather - or BoFs as they are known - allow Delegates to meet around a particular topic or interest. BoFs usually occur during lunchtime, or after the main Conference presentations for the day.

Instructions

Edit the table below to claim a BoF, and provide a way for people to contact you. Rooms will be added later. See also: Tables Help.

Birds of a Feather (BoF) Sessions
Monday 1st Feb Tuesday 2nd Feb Wednesday 3rd Feb Thursday 4th Feb Friday 5th Feb
Early birds

06:00

Running BoF Running BoF Running BoF Running BoF Running BoF
Not-as-Early birds

07:00

Interval Training BoF Interval Training BoF Interval Training BoF Interval Training BoF Interval Training BoF
09:00 Opening Keynote Speakers
Morning Tea

10:00—10:40

Session Session Session Session Session
Regular Schedule
Lunch Break

12:20—13:20

Queer BoF Perl BoF D2.193

Autonomous Robots BoF D.211

Emacs BoF D2.193
Safer Payments BoF D.211

Exploding kittens bof- student lounge
Cards Against Humanity BoF D.211 supoort

Ladies' Lunch

Debian Lunch @ Dennys?
Cards Against Humanity BoF - D.211

Software Freedom Conservancy supporters lunch - meet near rego

Hackerspace BoF - D2. 193 How to run one and support.

Home Automation BoF (D2.211 - incl. Sensors & Open Hardware)

Regular Schedule
Afternoon Tea

15:00—15:40

Session Session BlueHackers BoF D2.193 Jobs BoF D.211

Keep Talking and Nobody Explodes (Unallocated)

Rust Language BoF (D2.193?)
Regular Schedule LightningTalks & Closing
Evening

17:20—

Ingress BoF D.192

Libre IM & Social BoF D2.211

Keysigning BoF D2.211 Kerbal BoF D2.193 Parallelism and Concurrency BoF D2.193

Factorio BoF

Session
18:00— LA AGM D.193 PDNS Penguin Dinner Speakers' Dinner EFA Drinks


Unscheduled sessions:


ATTENDEE TYPE:

Information for Speakers | Information for Delegates | Information for Volunteers | Information for Partners and family

CONFERENCE LIFECYCLE:

Registering for linux.conf.au | Getting to linux.conf.au | Where to stay at linux.conf.au | What to expect at linux.conf.au | What to do at linux.conf.au | What happens after linux.conf.au

HANDY LINKS:

Conference Home | Miniconf_Info | Lightning_talks | Wiki Home | Register | Schedule | OpenStreetMap of Geelong


Birds of a Feather sessions (BoFs)
Autonomous Robots Emacs Ingress Interval Training Kerbal Keysigning Libre Social Media Parallelism Perl Queer Running Taswegian Bibleopoly