Skip to main content

Packet Sniffing

A Transparent Bridge

It is sometimes necessary to capture packets on a network in order to see why a certain host or device is misbehaving.

Depending on the setup, you could use Ettercap and ARP table spoofing to reroute interesting traffic to your test machine as described in another post, but usually it is best to physically insert the test machine between the unit under test and the ethernet switch as a transparent bridge and then capture or save the data using tcpdump or wireshark.

If your test machine is a laptop computer, then it likely has only one ethernet port.  You can add a second one using either a cardbus or USB ethernet adaptor.

Install the ethernet bridge utilities and create a transparent bridge br0, then assign the two ethernet ports to it (find their names with ifconfig).

Building the Bridge

Here is a bridge script that I used recently:

 #! /bin/bash
echo Configure a transparent bridge for Wireshark or tcpdump.

killall NetworkManager

# Install ebtables and bridge-utils
# Ethernet ports: em1 and eth2

echo Create a transparent bridge
brctl addbr br0
brctl stp br0 off
brctl addif br0 em1
brctl addif br0 eth2

echo Enable IP4 forwarding
/sbin/ifconfig em1 0.0.0.0 promisc up
/sbin/ifconfig eth2 0.0.0.0 promisc up
echo "1" > /proc/sys/net/ipv4/ip_forward

echo The bridge IP address is 192.168.111.1
ifconfig br0 192.168.111.1 netmask 255.255.255.0 up

echo Open ebtables to allow everything, INPUT, OUTPUT and FORWARD  
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
ebtables -F
ebtables -P INPUT ACCEPT
ebtables -P OUTPUT ACCEPT
ebtables -P FORWARD ACCEPT

echo Configuration:
iptables -L
ebtables -L
ifconfig

Dumping the Packets

Now you can run tcpdump on the br0 device and view or save the traffic for later analysis.  Here are a few examples:

# tcpdump -i br0
# tcpdump -nlA -i br0
# tcpdump -nlX -s 256 host 192.168.x.y and port 1234 -i br0


La voila!
Labels:

Comments

Post a Comment

On topic comments are welcome. Junk will be deleted.

Popular posts from this blog

Unlock CRA PDF Forms

Unlock Canada Revenue Agency PDF Forms It appears that there is a relatively new PDF feature to prevent casual copying and saving of a file and that some programs save PDF files with these foolish features active by default.  Many forms from the Canada Revenue Agency are locked in this way, which makes it difficult to do one's taxes, since one can fill the form, but cannot save it.  One can only print the form.  It should be possible to print to a file or export it to a new PDF file, but it is far better to reset the annoying anti-taxpayer flags, since the 'printed' form cannot be edited easily any more and I always manage to make a mistake or three that need to be corrected after review. If there is a Linux (virtual) machine handy, install qpdf and use it to reset the silly flags: $ su - password # dnf update # dnf install qpdf # exit $ qpdf --decrypt lockedfile.pdf unlockedfile.pdf One doesn't need a password to unlock these flags, so the fix is instant. La voila! He...
Post a Comment
Read more

Parasitic Quadrifilar Helical Antenna

This article was reprinted in OSCAR News, March 2018:  http://www.amsat-uk.org If you want to receive Satellite Weather Pictures , then you need a decent antenna, otherwise you will receive more noise than picture. For polar orbit satellites, one needs an antenna with a mushroom shaped radiation pattern .  It needs to have strong gain towards the horizon where the satellites are distant, less gain upwards where they are close and as little as possible downwards, which would be wasted and a source of noise.  Most satellites are spin stabilized and therefore the antenna also needs circular polarization, otherwise the received signal will flutter as the antennas rotate through nulls. The helical antenna, first proposed by Kraus in 1948, is the natural solution to circular polarized satellite communications.  It is a simple twisted wire - there seems to be nothing to it.  Various papers have been published on helix antennas, so the operation is pretty well ...
2 comments
Read more

OpenEMS with Octave and SciLAB

I wanted to do some advanced RF antenna development work and needed an electromagnetic field solver that is a bit more up to date than NEC2 .  Commercial solvers from Matlab , Ansys and others are hideously expensive (in the order of $20,000 to $50,000) and do not fit in the wallet of a hobbyist or a small consulting company.  Recently, openEMS became available and it fills the niche with a capable free tool.  In general, openEMS is a solver - a Finite-Difference Time-Domain (FDTD) numerical engine.  You interact with it through Octave , which is almost identical to Matlab .  You can watch a good video by Thorsten Liebig here: https://www.youtube.com/watch?app=desktop&v=ThMLf0d5gaE   Getting it to work is a little painful, but it is free, so bear with it - then save a backup clone, or a zipped copy of the whole virtual machine directory and NEVER update it, to ensure that it keeps going and doesn't get broken by future updates, right when you are ...
Post a Comment
Read more