Wednesday, October 9, 2013

Packet Sniffing

A Transparent Bridge

It is sometimes necessary to capture packets on a network in order to see why a certain host or device is misbehaving.

Depending on the setup, you could use Ettercap and ARP table spoofing to reroute interesting traffic to your test machine as described in another post, but usually it is best to physically insert the test machine between the unit under test and the ethernet switch as a transparent bridge and then capture or save the data using tcpdump or wireshark.

If your test machine is a laptop computer, then it likely has only one ethernet port.  You can add a second one using either a cardbus or USB ethernet adaptor.

Install the ethernet bridge utilities and create a transparent bridge br0, then assign the two ethernet ports to it (find their names with ifconfig).

Building the Bridge

Here is a bridge script that I used recently:

#! /bin/bash
echo Configure a transparent bridge for Wireshark or tcpdump.

killall NetworkManager

# Install ebtables and bridge-utils
# Ethernet ports: em1 and eth2

echo Create a transparent bridge
brctl addbr br0
brctl stp br0 off
brctl addif br0 em1
brctl addif br0 eth2

echo Enable IP4 forwarding
/sbin/ifconfig em1 promisc up
/sbin/ifconfig eth2 promisc up
echo "1" > /proc/sys/net/ipv4/ip_forward

echo The bridge IP address is
ifconfig br0 netmask up

echo Open ebtables to allow everything, INPUT, OUTPUT and FORWARD  
iptables -F
iptables -P INPUT ACCEPT
ebtables -F
ebtables -P INPUT ACCEPT

echo Configuration:
iptables -L
ebtables -L

Dumping the Packets

Now you can run tcpdump on the br0 device and view or save the traffic for later analysis.  Here are a few examples:

# tcpdump -i br0
# tcpdump -nlA -i br0
# tcpdump -nlX -s 256 host 192.168.x.y and port 1234 -i br0

La voila!

No comments:

Post a Comment

On topic comments are welcome. Junk will be deleted.