Difference between pages "Airport Arrivals and Departures" and "Tutorials/Tutorial: Packets don't lie: how can you use tcpdump/tshark (wireshark) to prove your point."

From LCA2016 Delegate wiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
==Arrivals==
+
===PREREQUISITES===
 +
Please note that this is a tutorial, not a talk.
 +
You should have tcpdump and  wireshark INSTALLED and do some captures BEFORE you come to the tutorial.
 +
To find wireshark packages do something like this:
 +
<pre>
 +
#archlinux
 +
pacman -Ss wireshark tcpdump
 +
#debian
 +
apt-cache search wireshark tcpdump
 +
#fedora
 +
yum search wireshark tcpdump
 +
</pre>
 +
Please install both GUI and CLI packages.
  
===Saturday 30th January 2016===
+
Please add the user you are going to run wireshark/tshark as to the 'wireshark' user group.
 +
<pre>
 +
gpasswd -a james wireshark
 +
</pre>
 +
After this user 'james' will need to log out and log in again!
  
* NZ891, arr. MEL 08:05
 
** Andrew Sands
 
* QF415, arr. MEL 09:35
 
** Jussi Pakkanen
 
* NZ123, arr. MEL 10:35
 
** Simon Lyall (plus one)
 
** [https://twitter.com/LGnome Adam Harvey]
 
* VA314, arr. MEL 11:15
 
** Jamie Bainbridge
 
* VA218, arr. MEL 13:25
 
** Clancy Cunningham
 
* QF762, arr. MEL 14:35
 
** Trent 'lathiat' Lloyd
 
* QF2139, arr. MEL 14:50
 
** Paul E. McKenney
 
* VA682, arr. MEL 15:45
 
** James 'Ender' Brown
 
* QF797, arr. MEL 15:45
 
** Ian Cunningham
 
* VA332, arr. MEL 16:15
 
** Russell Stuart
 
* QF772, arr. MEL 16:40
 
** Cameron Tudball
 
* QF154, arr. MEL 17:15
 
** Steven Ellis
 
** Cherie Ellis
 
* VA7425, arr. MEL at 17:30
 
** [[Liz Quilty]]
 
  
===Sunday 31st January 2016===
+
If that still DOESN'T workyou might want to add a capability. Do it ONLY if you are still unable to do capture.
* KL3946, arr. MEL 07:00
+
<pre>
** Karl-Johan Karlsson
+
setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
* NZ0891, arr. MEL 08:05
+
</pre>
** [[User:Chris@cje.net.nz|Christopher Edsall]]
+
* MH149, arr. MEL 08:45
+
** [https://twitter.com/masayukig Masayuki Igawa]
+
* JQ162, arr. MEL 08:50
+
** Dave Aldridge
+
** James Parker
+
** Garming Sam
+
** Grant McLean
+
* QF94, arr. MEL 09:05
+
** Matthew Hiltner
+
* UA98, arr. MEL 09:25
+
** Casey Schaufler
+
** [https://twitter.com/vavroom Nicolas Steenhout]
+
** [https://twitter.com/marc_etienne_ Marc-Etienne M.Léveillé]
+
** Jonathan Corbet
+
** Ryan Sickle
+
* <span style="color: #e67300;">JQ603, arr. '''AVV''' 09:30</span>
+
** Matthew Wilcox
+
* <span style="color: #0000ff;">JQ603, arr. '''AVV''' 09:30</span>
+
** [https://twitter.com/jeremyvisser Jeremy Visser]
+
** Peter Chubb
+
** Peter Lovett
+
* JQ702, arr. MEL 10:15
+
** [https://keybase.io/mjec Michael Cordover]
+
* NZ123, arr. MEL 10:35
+
** Simon Green
+
** David Zanetti
+
** Glen Ogilvie
+
* JQ561, arr. MEL 10:35
+
** Charelle Collett
+
* QF1502, arr. MEL 10:55
+
** [https://twitter.com/johndalton John Dalton]
+
* NZ895, arr. MEL 11:00
+
** Chris Cormack
+
** Russell Smithies
+
* VA262 from CBR, arr. MEL 11:10
+
** [http://mabula.net/ Paul Wayper]
+
* QF611, arr. MEL 11:20
+
** Jared Ring
+
* VA214, arr. MEL 11:25
+
** Josh Driver
+
* QF763, arr. MEL 11:30
+
** Aeriana
+
** [[User:jessica@itgrrl.com|Jessica Smith]]
+
* QF423, arr. MEL 11:35
+
** Ewen McNeill
+
* VA830 (DL7269), arr. MEL 11:35
+
** Keith Packard
+
** Casey West
+
* VA1321, arr. MEL 11:45
+
** [https://twitter.com/JackScottAU Jack Scott]
+
* QF427, arr. MEL 12:35
+
** Dong Ma
+
** [https://twitter.com/mooeypoo Moriel Schottlender]
+
* VA218, arr. MEL 13:25
+
** [https://twitter.com/AzMoo Matt Magin]
+
* QF682, arr. MEL 13:35
+
** Cary D
+
** Phil Ingram
+
* JQ511, arr. MEL 13:35
+
** [https://twitter.com/legoktm Kunal Mehta]
+
* QF431, arr. MEL 13:35
+
** Kennedy Skelton
+
* VA1323, arr. MEL 14:00
+
** [https://twitter.com/tserong Tim Serong]
+
** [https://www.scriptforge.org/faulteh Scott Bragg]
+
* VA324, arr. MEL 14:15 (Tullamarine)
+
** [https://openstem.com.au/ Arjen Lentz]
+
** Joe Robinson
+
** Brian Moss
+
** Alexandra Settle
+
** [https://twitter.com/lhovo Luke Hovington]
+
* QF0617, arr. MEL 14:20 (Tullamarine)
+
** Darryl Bond
+
** Gagandeep Arora
+
* QF0762, arr. MEL 14:30
+
** [https://twitter.com/kyerussell Kye Russell]
+
* QF435, arr. MEL 14:35
+
** Brendan O'Dea
+
* VA842, arr. MEL 14:35
+
** James Polley
+
* QF881, arr. MEL 15:00
+
** Ben Martin
+
* JQ977, arr. MEL 15:00
+
** Andrew Cooks
+
* VA326, arr. MEL 15:15
+
** Brad Marshall
+
* QF619, arr. MEL 15:20
+
** Ian Burns
+
** Dion Hulse
+
* <span style="color: #0000ff;">JQ607, arr. '''AVV''' 15:25</span>
+
** Tobin Harding
+
* QF686, arr. MEL 15:25
+
** Tim S
+
* VA272, arr. MEL 15:40
+
** Michael Carden
+
** Neill Cox
+
** [http://m0les.com Miles Goodhew]
+
* QF815, arr. MEL 16:10
+
** Simon Fowler
+
* <span style="color: #0000ff;">JQ607, arr. '''AVV''' 17:00</span>
+
** Peter Vesely
+
** Thomas Chung
+
* QF0772, arr. MEL 17:00
+
** [https://twitter.com/Techman_83 Leon Wright]
+
* VA854, arr. MEL 17:05
+
** [https://twitter.com/DrJosh9000 Josh Deprez]
+
** Robert Mibus
+
* QF154 arr MEL 17:15
+
** Glenn Enright and partner
+
* NZ0125, arr. MEL 17:30
+
** Rodger Donaldson
+
* EY460, arr. MEL 18:30
+
** [[Katie_Miller|Katie Miller]]
+
** Andreas Frisch
+
* TT263, arr. MEL 19:00
+
** [https://twitter.com/ceralena Cera Davies]
+
* <span style="color: #0000ff;">JQ609, arr. '''AVV''' 20:00</span>
+
** Jamie Wilkinson
+
** Stefan Götz
+
* TG461, arr. MEL 21:20
+
** [https://twitter.com/mukherjee_atin Atin Mukherjee]
+
** Vivia Nikolaidou
+
** Sebastian Dröge
+
* VA830 (DL7269), arr. MEL 11:35
+
** Rikki Endsley
+
  
===Monday 1st February 2016===
+
When finished, have a look around at what files came with the package:
* VA1313, arr. 7:15 MEL Terminal 3
+
<pre>
** Jamie Lennox
+
tcpdump --version
* QF1529, arr. 9:50 MEL Terminal 1
+
tshark --version
** Ben Herrenschmidt
+
</pre>
* NZ123, arr. 10:35 MEL Terminal 2
+
List binaries that came with the packge (example is for archlinux, for rmp-like do 'rpm -ql wireshark', for debian 'dpkg -L wireshark')
** Doug Thompson
+
<pre>
* JQ509, arr. 12:20 MEL Terminal 4
+
pacman -Ql wireshark-cli|grep bin
** Ruth Suehle
+
wireshark-cli /usr/bin/androiddump
* QF461, arr. 10:30 MEL
+
wireshark-cli /usr/bin/capinfos
** Rob Garth
+
wireshark-cli /usr/bin/captype        #same as 'capinfos -t'
 +
wireshark-cli /usr/bin/dftest        #display filter byte-code for debugging
 +
wireshark-cli /usr/bin/dumpcap        #can write files
 +
wireshark-cli /usr/bin/editcap        #snaplenth, or split into multiple based on time, number of packets, adjust time
 +
wireshark-cli /usr/bin/idl2wrs
 +
wireshark-cli /usr/bin/mergecap
 +
wireshark-cli /usr/bin/randpkt        #creates a legitimate EthernetII packet with the given Type field set
 +
wireshark-cli /usr/bin/rawshark      #cannot write files, only to standard output
 +
wireshark-cli /usr/bin/reordercap    #part of the functionality of the editcap
 +
wireshark-cli /usr/bin/text2pcap      #hexdump -> pcap
 +
wireshark-cli /usr/bin/tshark
 +
wireshark-cli /usr/include/wireshark/epan/dissectors/packet-ypbind.h
 +
wireshark-cli /usr/share/wireshark/radius/dictionary.bintec
  
==Departures==
+
</pre>
===Friday 5th February 2016===
+
* QF440, MEL Terinal 14:30
+
** Rob Grth
+
* <span style="color: #0000ff;">JQ610, dep. '''AVV''' 20:30</span>
+
** Tobin Harding
+
* NZ126, Dep MEL 18:40
+
** Doug Thompson
+
* QF701, dep. MEL 20:15
+
** Phil Ingram
+
  
===Saturday 6th February 2016===
+
=Capturing=
* JQ163, dep. MEL 00:45
+
====browsing exercise ====
** Martin Krafft
+
# start capturing
* VA 819 (DL7270), dep. MEL 08:00
+
# navigate your browser to linux.conf.au
** Keith Packard
+
# navigate your browser to google.com
* <span style="color: #0000ff;">JQ604, dep. '''AVV''' 09:05</span>
+
# navigate your browser to xxxxxxx (your choice)
** [https://twitter.com/jeremyvisser Jeremy Visser]
+
* VA679, dep. MEL 09:15
+
** Andrew Cooks
+
* JQ508, dep. MEL 09:45
+
** Ruth Suehle
+
* VA219, dep. MEL 10:10
+
** Clancy Cunningham
+
* TT524, dep. MEL 11:15
+
** Simon Green
+
* UA99, dep. MEL 11:25
+
** [https://twitter.com/marc_etienne_ Marc-Etienne M.Léveillé]
+
* VA323, dep. MEL 11:00 (Tullamarine)
+
** [https://openstem.com.au/ Arjen Lentz]
+
* UA99, dep. MEL 11:25
+
** [https://twitter.com/vavroom Nicolas Steenhout]
+
** Casey Schaufler
+
** Jonathan Corbet
+
** [https://twitter.com/legoktm Kunal Mehta]
+
* NZ124, dep. MEL 11:50
+
** Benno Rice
+
** Grant McLean
+
* QF2138, dep. MEL 11:55
+
** Andrew Bartlett
+
** Ben Herrenschmidt
+
* VA327, dep. MEL 12:00 to BNE
+
** Brad Marshall
+
** Joe Robinson
+
** Alexandra Settle
+
** [http://mabula.net/ Paul Wayper]
+
* QF430, dep. MEL 12:00
+
** [https://twitter.com/glasnt Katie McLaughlin]
+
* QF616, dep. MEL 12:05
+
** Ian Burns
+
* VA223, dep. MEL 12:10
+
** Matt Magin
+
* VA1593, dep. MEL 12:20
+
** Jamie Lennox
+
* QF812, dep. MEL 13:15
+
** Simon Fowler
+
** Aeriana
+
* JQ574, dep. MEL 13:20
+
** Charelle Collett
+
* VA271, dep. MEL 13:20
+
** Michael Carden
+
** [http://m0les.com Miles Goodhew]
+
* QF685, dep. MEL 13:35
+
** Cary D
+
* QF438, dep. MEL 14:00
+
** Brendan O'Dea
+
* QF620, dep. MEL 14:05
+
** Jared Ring
+
* MH148, dep. MEL 14:50
+
** [https://twitter.com/masayukig Masayuki Igawa]
+
* VA853, dep. MEL 15:00
+
** [https://twitter.com/DrJosh9000 Josh Deprez]
+
** James Polley
+
** Robert Mibus
+
* VA333, dep. MEL 15:00
+
** [https://twitter.com/lhovo Luke Hovington]
+
* QF1505, dep. MEL 15:25
+
** [https://twitter.com/johndalton John Dalton]
+
* <span style="color: #0000ff;">JQ606, dep. '''AVV''' 15:25</span>
+
** Peter Chubb
+
** Peter Vesely
+
** Thomas Chung
+
** Stefan Götz
+
* KL3880, dep. MEL 15:55
+
** Karl-Johan Karlsson
+
* VA1328, dep. MEL 16:20
+
** [https://www.scriptforge.org/faulteh Scott Bragg]
+
* QF0481, dep. MEL 17:45
+
** [https://twitter.com/Techman_83 Leon Wright]
+
* NZ850, depart MEL 18:20
+
** Garming Sam
+
** Dave Aldridge
+
** James Parker
+
** Paul Gunn
+
** Russell Smithies
+
* NZ7912 (a.k.a. VA100), dep. MEL 18:35
+
** [[User:Chris@cje.net.nz|Christopher Edsall]]
+
** Andrew Sands
+
* NZ726, dep. MEL 18:40
+
** Steven Ellis
+
** Cherie Ellis
+
** [https://gracenolan.me/ Grace Nolan]
+
* JQ713, dep. MEL 18:55
+
** [https://keybase.io/mjec Michael Cordover]
+
* VA1332, dep. MEL 19:40
+
** [https://twitter.com/tserong Tim Serong]
+
** [https://twitter.com/JackScottAU Jack Scott]
+
* QF9, dep. MEL 23:25
+
** Jussi Pakkanen
+
* QF796, dep. MEL 09:30
+
** Ian Cunningham
+
  
===Sunday 7th February 2016===
+
====have a look at the capture files that you generated====
* QF93, dep. MEL 11:20
+
<pre>
** Matthew Hiltner
+
capinfos -T *.pcap{,ng}
* VA329, dep. MEL 12:00
+
</pre>
** Russell Stuart
+
==capture interfaces==
* QF444, dep. MEL 15:30
+
<pre>
** Kennedy Skelton
+
tcpdump -D
* NZ128 dep MEL 16:05
+
tshark -D
** Glenn Enright and partner
+
# try with no interface
* VA1328, dep. MEL 16:20
+
tshark
** James 'Ender' Brown
+
</pre>
* VA337, dep. MEL 17:10
+
** Jamie Bainbridge
+
* NZ126, dep. MEL 18:40
+
** Simon Lyall
+
** David Zanetti
+
** [[Liz Quilty]]
+
* SQ208, dep. MEL 19:30
+
** [https://twitter.com/LGnome Adam Harvey]
+
* QF653, dep. MEL 20:00
+
** Trent 'lathiat' Lloyd
+
  
{{Template:Navigation}}
+
==capturing on the CLI==
 +
 
 +
tcpdump can autostop after certain number of packets has been captured. tshark has addinionally duration, filesize and number of files autostop conditions.
 +
What if we want to have a permanent capture running and keep last N days of the logs?
 +
<pre>
 +
tshark -b duration:2 -n -wevery2sec.pcapng & watch -n 1 ls -l
 +
tshark -b duration:2 -n -wevery2sec.pcapng -a files:5  & watch -n1 ls -l
 +
tshark -b duration:3600 -n -weveryHour.pcapng -b files:24
 +
tshark -a filesize:1024 -n -w1MiB.pcapng
 +
</pre>
 +
=expert info=
 +
==GUI==
 +
-r <pcap file>
 +
-J  <jump filter>
 +
          After reading in a capture file using the -r flag, jump to the packet matching the filter (display
 +
          filter syntax).  If no exact match is found the first packet after that is selected.
 +
 
 +
        capinfo
 +
        lower bottom corner
 +
                expert info
 +
                file name
 +
                packets, etc
 +
        statistics -> protocol hierarchy
 +
        statistics -> HTTP -> packet counter
 +
        statistics -> HTTP -> requests
 +
        extract objects
 +
        follow TCP stream
 +
        coloring rules
 +
        Statistics -> IPv4 Statistics ->  Destinations and  Ports
 +
fields
 +
    delta time
 +
   
 +
==CLI==
 +
<pre>
 +
! tshark -q -z ptype,tree
 +
! tshark -q -z io,stat,20,eth -q
 +
! tshark -q -z io,stat,20,http -q
 +
! tshark -q -z io,stat,20,,"BYTES()http" -q
 +
! tshark -q -z http,tree
 +
! tshark -q -z http_req,tree
 +
! tshark -q -z http_srv,tree
 +
create a capture file for icmp
 +
! tshark -q -z icmp,srt
 +
! tshark -q -z io,phs
 +
! tshark -q -z io,stat
 +
! tshark -q -z ip_hosts,tree
 +
! tshark -q -z plen,tree
 +
! tshark -q -z endpoints,eth
 +
! tshark -q -z endpoints,eth,
 +
! tshark -q -z endpoints,ip
 +
! tshark -q -z conv,eth
 +
! tshark -q -z conv,udp
 +
! tshark -q -z conv,tcp
 +
! tshark -q -z conv
 +
! tshark -q -z expert,error -q
 +
! tshark -q -z expert,note -q
 +
</pre>
 +
 
 +
=DECRYPTING SSL=
 +
When a client (for example, a web browser) makes a connection to a web server requiring SSL/TLS encryption - the encrypted channel is setup using a '''symmetric''' session key. This key is a random string generated by the client and then encrypted and transmitted using the servers '''public''' key, known as the ''Pre-master Secret''. Once shared, the client and server use this shared key to encrypt and decrypt traffic.
 +
 
 +
MacOS users can do: launchctl setenv SSLKEYLOGFILE /tmp/SSLKEYLOGFILE.txt; open -a Applications/Firefox.app
 +
 
 +
====exercise on decyphering SSL====
 +
# <pre>
 +
SSLKEYLOGFILE=/tmp/SSLKEYLOGFILE.txt firefox &  tail -f /tmp/SSLKEYLOGFILE.txt
 +
</pre>
 +
#Navigate to https://google.com
 +
#Do some searches
 +
#Start capture
 +
#Open a new tab and do more searches on google.com
 +
#try https://facebook.com or some other web site.
 +
 
 +
 
 +
SSLKEYLOGFILE variable  works for firefox, chromium and any program built with NSS library (Network Security Services).
 +
 
 +
==display filter==
 +
<pre>
 +
sack
 +
http
 +
        ip.src==1.1.1.1 &&      tcp.analysis.retransmission or tcp.analysis.fast_retransmission
 +
        http.time >= 0.4
 +
        tcp.analysis.rto >= 0.050
 +
        http.request.uri == "https://www.wireshark.org/"
 +
        http.response.code == 500
 +
        tcp.port in {80 443 8080}
 +
        #the above is same as:
 +
        tcp.port == 80 || tcp.port == 443 || tcp.port == 8080
 +
        _ws.expert.severity >= warn
 +
                0x1      ok
 +
                0x100000 comment
 +
                0x200000 chat
 +
                0x400000 note
 +
                0x600000 warn
 +
                0x800000 error
 +
 
 +
tshark -r /var/tmp/aros.pcapng -e frame.number -e ip.src -e ip.dst -Tfields
 +
tshark -r /srv/http/TCP_SACK.cap  -Y frame.number==29 -V
 +
tshark -r TCP_SACK.cap -Y 'frame.number>=10' -Y 'frame.number<=15'
 +
</pre>
 +
 
 +
 
 +
 
 +
=extra=
 +
<pre>
 +
-d tcp.port==8888,http
 +
</pre>

Revision as of 15:31, 3 February 2016

PREREQUISITES

Please note that this is a tutorial, not a talk. You should have tcpdump and wireshark INSTALLED and do some captures BEFORE you come to the tutorial. To find wireshark packages do something like this:

#archlinux
pacman -Ss wireshark tcpdump
#debian
apt-cache search wireshark tcpdump
#fedora
yum search wireshark tcpdump

Please install both GUI and CLI packages.

Please add the user you are going to run wireshark/tshark as to the 'wireshark' user group.

gpasswd -a james wireshark

After this user 'james' will need to log out and log in again!


If that still DOESN'T work, you might want to add a capability. Do it ONLY if you are still unable to do capture.

setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

When finished, have a look around at what files came with the package:

tcpdump --version
tshark --version

List binaries that came with the packge (example is for archlinux, for rmp-like do 'rpm -ql wireshark', for debian 'dpkg -L wireshark')

pacman -Ql wireshark-cli|grep bin
wireshark-cli /usr/bin/androiddump
wireshark-cli /usr/bin/capinfos
wireshark-cli /usr/bin/captype        #same as 'capinfos -t'
wireshark-cli /usr/bin/dftest         #display filter byte-code for debugging
wireshark-cli /usr/bin/dumpcap        #can write files
wireshark-cli /usr/bin/editcap        #snaplenth, or split into multiple based on time, number of packets, adjust time
wireshark-cli /usr/bin/idl2wrs
wireshark-cli /usr/bin/mergecap
wireshark-cli /usr/bin/randpkt        #creates a legitimate EthernetII packet with the given Type field set
wireshark-cli /usr/bin/rawshark       #cannot write files, only to standard output
wireshark-cli /usr/bin/reordercap     #part of the functionality of the editcap
wireshark-cli /usr/bin/text2pcap      #hexdump -> pcap
wireshark-cli /usr/bin/tshark
wireshark-cli /usr/include/wireshark/epan/dissectors/packet-ypbind.h
wireshark-cli /usr/share/wireshark/radius/dictionary.bintec

Capturing

browsing exercise

  1. start capturing
  2. navigate your browser to linux.conf.au
  3. navigate your browser to google.com
  4. navigate your browser to xxxxxxx (your choice)

have a look at the capture files that you generated

capinfos -T *.pcap{,ng}

capture interfaces

tcpdump -D
tshark -D
# try with no interface
tshark

capturing on the CLI

tcpdump can autostop after certain number of packets has been captured. tshark has addinionally duration, filesize and number of files autostop conditions. What if we want to have a permanent capture running and keep last N days of the logs?

tshark -b duration:2 -n -wevery2sec.pcapng & watch -n 1 ls -l
tshark -b duration:2 -n -wevery2sec.pcapng -a files:5  & watch -n1 ls -l
tshark -b duration:3600 -n -weveryHour.pcapng -b files:24
tshark -a filesize:1024 -n -w1MiB.pcapng

expert info

GUI

-r <pcap file> -J <jump filter>

          After reading in a capture file using the -r flag, jump to the packet matching the filter (display
          filter syntax).  If no exact match is found the first packet after that is selected.
       capinfo
       lower bottom corner
               expert info
               file name
               packets, etc
       statistics -> protocol hierarchy
       statistics -> HTTP -> packet counter
       statistics -> HTTP -> requests
       extract objects
       follow TCP stream
       coloring rules
       Statistics -> IPv4 Statistics ->  Destinations and  Ports

fields

   delta time
   

CLI

! tshark -q -z ptype,tree
! tshark -q -z io,stat,20,eth -q
! tshark -q -z io,stat,20,http -q
! tshark -q -z io,stat,20,,"BYTES()http" -q
! tshark -q -z http,tree
! tshark -q -z http_req,tree
! tshark -q -z http_srv,tree
create a capture file for icmp
! tshark -q -z icmp,srt
! tshark -q -z io,phs
! tshark -q -z io,stat
! tshark -q -z ip_hosts,tree
! tshark -q -z plen,tree
! tshark -q -z endpoints,eth
! tshark -q -z endpoints,eth,
! tshark -q -z endpoints,ip
! tshark -q -z conv,eth
! tshark -q -z conv,udp
! tshark -q -z conv,tcp
! tshark -q -z conv
! tshark -q -z expert,error -q
! tshark -q -z expert,note -q

DECRYPTING SSL

When a client (for example, a web browser) makes a connection to a web server requiring SSL/TLS encryption - the encrypted channel is setup using a symmetric session key. This key is a random string generated by the client and then encrypted and transmitted using the servers public key, known as the Pre-master Secret. Once shared, the client and server use this shared key to encrypt and decrypt traffic.

MacOS users can do: launchctl setenv SSLKEYLOGFILE /tmp/SSLKEYLOGFILE.txt; open -a Applications/Firefox.app

exercise on decyphering SSL

SSLKEYLOGFILE=/tmp/SSLKEYLOGFILE.txt firefox & tail -f /tmp/SSLKEYLOGFILE.txt

  1. Navigate to https://google.com
  2. Do some searches
  3. Start capture
  4. Open a new tab and do more searches on google.com
  5. try https://facebook.com or some other web site.


SSLKEYLOGFILE variable works for firefox, chromium and any program built with NSS library (Network Security Services).

display filter

sack 
http
        ip.src==1.1.1.1 &&      tcp.analysis.retransmission or tcp.analysis.fast_retransmission
        http.time >= 0.4
        tcp.analysis.rto >= 0.050
        http.request.uri == "https://www.wireshark.org/"
        http.response.code == 500
        tcp.port in {80 443 8080}
        #the above is same as:
        tcp.port == 80 || tcp.port == 443 || tcp.port == 8080
        _ws.expert.severity >= warn
                0x1      ok
                0x100000 comment
                0x200000 chat
                0x400000 note
                0x600000 warn
                0x800000 error

tshark -r /var/tmp/aros.pcapng -e frame.number -e ip.src -e ip.dst -Tfields
tshark -r /srv/http/TCP_SACK.cap   -Y frame.number==29 -V
tshark -r TCP_SACK.cap -Y 'frame.number>=10' -Y 'frame.number<=15'


extra

-d tcp.port==8888,http