Actions

Difference between revisions of "Wireshark"

From Ever changing code

(Filters)
 
(One intermediate revision by the same user not shown)
Line 3: Line 3:
 
Prerequisites -  Allow root SSH on Ubuntu
 
Prerequisites -  Allow root SSH on Ubuntu
 
Edit <tt>/etc/ssh/sshd_config</tt> to allow root password logins through ssh. As shown below, comment out #PermitRootLogin without-password and add PermitRootLogin yes.
 
Edit <tt>/etc/ssh/sshd_config</tt> to allow root password logins through ssh. As shown below, comment out #PermitRootLogin without-password and add PermitRootLogin yes.
# Authentication:
+
<source lang=bash>
LoginGraceTime 120
+
# Authentication:
#PermitRootLogin without-password
+
LoginGraceTime 120
PermitRootLogin yes
+
#PermitRootLogin without-password
 +
PermitRootLogin yes
 +
</source>
 +
 
  
 
Create named pipe on a system A where Wireshark is installed
 
Create named pipe on a system A where Wireshark is installed
sudo mkfifo /tmp/remote
+
<source lang=bash>
 +
sudo mkfifo /tmp/remote
 +
</source>
 +
 
  
 
Read from the pipe on system A to Wireshark
 
Read from the pipe on system A to Wireshark
sudo wireshark -k -i /tmp/remote
+
<source lang=bash>
 +
sudo wireshark -k -i /tmp/remote
 +
</source>
 +
 
  
 
Connect to system B as root user to a remote node then redirect tcpdump output to the named pipe over ssh to system A
 
Connect to system B as root user to a remote node then redirect tcpdump output to the named pipe over ssh to system A
ssh root@monior-this-host.com "tcpdump -s 0 -U -n -w - -i eth0 not port 22" > /tmp/remote
+
<source lang=bash>
 +
ssh root@monior-this-host.com "tcpdump -s 0 -U -n -w - -i eth0 not port 22" > /tmp/remote
 +
</source>
 +
 
  
 
[[File:Wireshark-named-pipe.PNG|none|800px|left|Wireshark-named-pipe]]
 
[[File:Wireshark-named-pipe.PNG|none|800px|left|Wireshark-named-pipe]]
Line 21: Line 33:
 
= Filters =
 
= Filters =
 
Operators
 
Operators
! - no, && - and, || - or
+
<source lang=bash>
 +
! - no, && - and, || - or
 +
</source>
 +
 
  
 
No STP, No Arp, No ipv6, no nbns, no DHCP
 
No STP, No Arp, No ipv6, no nbns, no DHCP
!stp && !arp && !ipv6 && !dhcpv6 && !nbns && !bootp.option.type == 53
+
<source lang=bash>
 +
!stp && !arp && !ipv6 && !dhcpv6 && !nbns && !bootp.option.type == 53
 +
</source>
 +
 
 +
= Allow non-root (current) user to run tcpdump =
 +
<source lang=bash>
 +
#!/usr/bin/env bash
 +
 
 +
# NOTE: This will let anyone who belongs to the 'pcap' group
 +
# execute 'tcpdump'
 +
 
 +
# NOTE2: User running the script MUST be a sudoer. It is
 +
# convenient to be able to sudo without a password.
 +
 
 +
sudo groupadd pcap
 +
sudo usermod -a -G pcap $USER
 +
sudo chgrp pcap /usr/sbin/tcpdump
 +
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
 +
sudo ln -s /usr/sbin/tcpdump /usr/bin/tcpdump
 +
</source>

Latest revision as of 19:25, 12 August 2019

There are various ways to tap a Wireshark to a linux instance in order to observe live communication. Here below I am utilising named-pipes where tcpdump is redirecting its output to.

Prerequisites - Allow root SSH on Ubuntu Edit /etc/ssh/sshd_config to allow root password logins through ssh. As shown below, comment out #PermitRootLogin without-password and add PermitRootLogin yes.

# Authentication:
LoginGraceTime 120
#PermitRootLogin without-password
PermitRootLogin yes


Create named pipe on a system A where Wireshark is installed

sudo mkfifo /tmp/remote


Read from the pipe on system A to Wireshark

sudo wireshark -k -i /tmp/remote


Connect to system B as root user to a remote node then redirect tcpdump output to the named pipe over ssh to system A

ssh root@monior-this-host.com "tcpdump -s 0 -U -n -w - -i eth0 not port 22" > /tmp/remote


Wireshark-named-pipe

Filters

Operators

! - no, && - and, || - or


No STP, No Arp, No ipv6, no nbns, no DHCP

!stp && !arp && !ipv6 && !dhcpv6 && !nbns && !bootp.option.type == 53

Allow non-root (current) user to run tcpdump

#!/usr/bin/env bash

# NOTE: This will let anyone who belongs to the 'pcap' group
# execute 'tcpdump'

# NOTE2: User running the script MUST be a sudoer. It is
# convenient to be able to sudo without a password.

sudo groupadd pcap
sudo usermod -a -G pcap $USER
sudo chgrp pcap /usr/sbin/tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
sudo ln -s /usr/sbin/tcpdump /usr/bin/tcpdump