Difference between revisions of "Wireshark and Tshark"

From Ever changing code
Jump to navigation Jump to search
Line 3: Line 3:
Prerequisites -  Allow root SSH on Ubuntu
Prerequisites -  Allow root SSH on Ubuntu
Edit <tt>/etc/ssh/sshd_config</tt> to allow root password logins through ssh. As shown below, comment out #PermitRootLogin without-password and add PermitRootLogin yes.
Edit <tt>/etc/ssh/sshd_config</tt> to allow root password logins through ssh. As shown below, comment out #PermitRootLogin without-password and add PermitRootLogin yes.
# Authentication:
<source lang=bash>
LoginGraceTime 120
# Authentication:
#PermitRootLogin without-password
LoginGraceTime 120
PermitRootLogin yes
#PermitRootLogin without-password
PermitRootLogin yes
</source>
 


Create named pipe on a system A where Wireshark is installed
Create named pipe on a system A where Wireshark is installed
sudo mkfifo /tmp/remote
<source lang=bash>
sudo mkfifo /tmp/remote
</source>
 


Read from the pipe on system A to Wireshark
Read from the pipe on system A to Wireshark
sudo wireshark -k -i /tmp/remote
<source lang=bash>
sudo wireshark -k -i /tmp/remote
</source>
 


Connect to system B as root user to a remote node then redirect tcpdump output to the named pipe over ssh to system A
Connect to system B as root user to a remote node then redirect tcpdump output to the named pipe over ssh to system A
ssh root@monior-this-host.com "tcpdump -s 0 -U -n -w - -i eth0 not port 22" > /tmp/remote
<source lang=bash>
ssh root@monior-this-host.com "tcpdump -s 0 -U -n -w - -i eth0 not port 22" > /tmp/remote
</source>
 


[[File:Wireshark-named-pipe.PNG|none|800px|left|Wireshark-named-pipe]]
[[File:Wireshark-named-pipe.PNG|none|800px|left|Wireshark-named-pipe]]
Line 21: Line 33:
= Filters =
= Filters =
Operators
Operators
! - no, && - and, || - or
<source lang=bash>
! - no, && - and, || - or
</source>
 


No STP, No Arp, No ipv6, no nbns, no DHCP
No STP, No Arp, No ipv6, no nbns, no DHCP
!stp && !arp && !ipv6 && !dhcpv6 && !nbns && !bootp.option.type == 53
<source lang=bash>
!stp && !arp && !ipv6 && !dhcpv6 && !nbns && !bootp.option.type == 53
</source>

Revision as of 17:34, 12 August 2019

There are various ways to tap a Wireshark to a linux instance in order to observe live communication. Here below I am utilising named-pipes where tcpdump is redirecting its output to.

Prerequisites - Allow root SSH on Ubuntu Edit /etc/ssh/sshd_config to allow root password logins through ssh. As shown below, comment out #PermitRootLogin without-password and add PermitRootLogin yes.

# Authentication:
LoginGraceTime 120
#PermitRootLogin without-password
PermitRootLogin yes


Create named pipe on a system A where Wireshark is installed

sudo mkfifo /tmp/remote


Read from the pipe on system A to Wireshark

sudo wireshark -k -i /tmp/remote


Connect to system B as root user to a remote node then redirect tcpdump output to the named pipe over ssh to system A

ssh root@monior-this-host.com "tcpdump -s 0 -U -n -w - -i eth0 not port 22" > /tmp/remote


Wireshark-named-pipe

Filters

Operators

! - no, && - and, || - or


No STP, No Arp, No ipv6, no nbns, no DHCP

!stp && !arp && !ipv6 && !dhcpv6 && !nbns && !bootp.option.type == 53