Skip to main content

Packet Sniffing

A Transparent Bridge

It is sometimes necessary to capture packets on a network in order to see why a certain host or device is misbehaving.

Depending on the setup, you could use Ettercap and ARP table spoofing to reroute interesting traffic to your test machine as described in another post, but usually it is best to physically insert the test machine between the unit under test and the ethernet switch as a transparent bridge and then capture or save the data using tcpdump or wireshark.

If your test machine is a laptop computer, then it likely has only one ethernet port.  You can add a second one using either a cardbus or USB ethernet adaptor.

Install the ethernet bridge utilities and create a transparent bridge br0, then assign the two ethernet ports to it (find their names with ifconfig).

Building the Bridge

Here is a bridge script that I used recently:

 #! /bin/bash
echo Configure a transparent bridge for Wireshark or tcpdump.

killall NetworkManager

# Install ebtables and bridge-utils
# Ethernet ports: em1 and eth2

echo Create a transparent bridge
brctl addbr br0
brctl stp br0 off
brctl addif br0 em1
brctl addif br0 eth2

echo Enable IP4 forwarding
/sbin/ifconfig em1 0.0.0.0 promisc up
/sbin/ifconfig eth2 0.0.0.0 promisc up
echo "1" > /proc/sys/net/ipv4/ip_forward

echo The bridge IP address is 192.168.111.1
ifconfig br0 192.168.111.1 netmask 255.255.255.0 up

echo Open ebtables to allow everything, INPUT, OUTPUT and FORWARD  
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
ebtables -F
ebtables -P INPUT ACCEPT
ebtables -P OUTPUT ACCEPT
ebtables -P FORWARD ACCEPT

echo Configuration:
iptables -L
ebtables -L
ifconfig

Dumping the Packets

Now you can run tcpdump on the br0 device and view or save the traffic for later analysis.  Here are a few examples:

# tcpdump -i br0
# tcpdump -nlA -i br0
# tcpdump -nlX -s 256 host 192.168.x.y and port 1234 -i br0


La voila!
Labels:

Comments

Post a Comment

On topic comments are welcome. Junk will be deleted.

Popular posts from this blog

Parasitic Quadrifilar Helical Antenna

This article was reprinted in OSCAR News, March 2018:  http://www.amsat-uk.org If you want to receive Satellite Weather Pictures , then you need a decent antenna, otherwise you will receive more noise than picture. For polar orbit satellites, one needs an antenna with a mushroom shaped radiation pattern .  It needs to have strong gain towards the horizon where the satellites are distant, less gain upwards where they are close and as little as possible downwards, which would be wasted and a source of noise.  Most satellites are spin stabilized and therefore the antenna also needs circular polarization, otherwise the received signal will flutter as the antennas rotate through nulls. The helical antenna, first proposed by Kraus in 1948, is the natural solution to circular polarized satellite communications.  It is a simple twisted wire - there seems to be nothing to it.  Various papers have been published on helix antennas, so the operation is pretty well ...
2 comments
Read more

Unlock CRA PDF Forms

Unlock Canada Revenue Agency PDF Forms It appears that there is a relatively new PDF feature to prevent casual copying and saving of a file and that some programs save PDF files with these foolish features active by default.  Many forms from the Canada Revenue Agency are locked in this way, which makes it difficult to do one's taxes, since one can fill the form, but cannot save it.  One can only print the form.  It should be possible to print to a file or export it to a new PDF file, but it is far better to reset the annoying anti-taxpayer flags, since the 'printed' form cannot be edited easily any more and I always manage to make a mistake or three that need to be corrected after review. If there is a Linux (virtual) machine handy, install qpdf and use it to reset the silly flags: $ su - password # dnf update # dnf install qpdf # exit $ qpdf --decrypt lockedfile.pdf unlockedfile.pdf One doesn't need a password to unlock these flags, so the fix is instant. La voila! He...
Post a Comment
Read more

To C or not to C, That is the Question

As most would know, the Kernighan and Ritchie C Programming Language is an improved version of B, which is a simplified version of BCPL, which is derived from ALGOL, which is the Ur computer language that started the whole madness, when Adam needed an operating system for his Abacus, to count Eve's apples in the garden of Eden in Iraq.  The result is that C is my favourite, most hated computer language , which I use for everything. At university, I learned FORTRAN with punch cards on a Sperry-Univac, in order to run SPICE, to simulate an operational amplifier.  Computers rapidly lost their glamour after that era! Nobody taught me C.  I bought the book and figured it out myself. Over time, I wrote a couple of assemblers, a linker-locator, various low level debuggers and schedulers and I even fixed a bug in a C compiler - not because I wanted to, but because I had to, to get the job done!   Much of my software work was down in the weeds with DSP and radio modems...
Post a Comment
Read more