{"id":2510,"date":"2016-08-29T00:00:58","date_gmt":"2016-08-29T07:00:58","guid":{"rendered":"http:\/\/192.168.3.4\/?p=2510"},"modified":"2018-01-09T06:51:15","modified_gmt":"2018-01-09T14:51:15","slug":"rpi-network-packet-analysis-tooling","status":"publish","type":"post","link":"https:\/\/www.cloudacm.com\/?p=2510","title":{"rendered":"RPi Network Packet Analysis Tooling"},"content":{"rendered":"<p class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">In this post, I&#8217;ll cover using the Rpi as a network analysis tool. The hardware of the Rpi and the open source software that runs on it is an extremely cost effective method to network diagnostics and troubleshooting.<\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">The hardware layout I&#8217;ll be using is fairly simple. The Rpi 3 has built in interfaces for both wired and wireless connections. <\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">I&#8217;ll be using the wired connection as my packet sniffing port. It will not have any IP bound to it. The physical connection will link to a managed switch. The switch port is configured with data mirrored from my WAN port connection, which is on another port of the same switch. Any data packets passing through the WAN port will be mirrored on the port used by the Rpi. I will not be performing a man in the middle attack in this example.<\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">The wireless connection on the Rpi will be my primary IP connection, allowing me to manage and perform tasks on the Rpi. I&#8217;ll connect to the Rpi using a SSH terminal connection.<\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">There are several software tools available. The ones I&#8217;ll be covering are:<\/span><\/span><\/p>\n<ul>\n<li class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">TCPDump<\/span><\/span><\/li>\n<li class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">URLSnarf<\/span><\/span><\/li>\n<\/ul>\n<p class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\"><span style=\"font-size: medium;\">There are a host of other tools, here is a brief list. See Credits for more at the bottom of the post.<\/span><\/span><\/span><\/p>\n<ul>\n<li class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">TCPTrace<\/span><\/span><\/li>\n<li class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">DriftNet<\/span><\/span><\/li>\n<li class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">WireShark<\/span><\/span><\/li>\n<li class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">EtterCap<\/span><\/span><\/li>\n<li class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">TCPXtract<\/span><\/span><\/li>\n<\/ul>\n<p class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">First, I&#8217;ll need to install the software since it does not come pre-installed on my Rpi OS. TCPDump does come pre-installed, however, URLSnarf (ala Dsniff) does not. To install URLSnarf, run the following command on the Rpi.<\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Courier New,monospace;\"><span style=\"font-size: small;\">sudo apt-get install dsniff -y<\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">Now, we should be ready to start capturing packets. Initially, I ran the URLSnarf tool with the standard output so I can observe it in real time. Here is the command I used.<\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Courier New,monospace;\"><span style=\"font-size: small;\">ifconfig<\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">This gave me the list of my interfaces so I can set the correct parameters in URLSnarf.<\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Courier New,monospace;\"><span style=\"font-size: small;\">eth0 Link encap:Ethernet HWaddr b8:27:eb&#8230;<\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">With that information, now I can enter in the command to start my URLSnarf capture.<\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Courier New,monospace;\"><span style=\"font-size: small;\">sudo urlsnarf -i eth0<\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">It starts and displays web traffic as it occurs.<\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Courier New,monospace;\"><span style=\"font-size: small;\">urlsnarf: listening on eth0 [tcp port 80 or port 8080 or port 3128]<\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Courier New,monospace;\"><span style=\"font-size: small;\">x.x.x.x &#8211; &#8211; [12\/Aug\/2016:04:56:53 -0700] &#8220;GET http:\/\/www.computerhope.com\/unix\/ugrep.htm HTTP\/1.1&#8221; &#8211; &#8211; &#8220;https:\/\/duckduckgo.com\/&#8221; &#8220;Mozilla\/5.0 (X11; Ubuntu; Linux i686; rv:48.0) Gecko\/20100101 Firefox\/48.0&#8221; <\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Courier New,monospace;\"><span style=\"font-size: small;\">x.x.x.x &#8211; &#8211; [12\/Aug\/2016:04:56:53 -0700] &#8220;GET http:\/\/ajax.googleapis.com\/ajax\/libs\/jquery\/1.10.2\/jquery.min.js HTTP\/1.1&#8221; &#8211; &#8211; &#8220;http:\/\/www.computerhope.com\/unix\/ugrep.htm&#8221; &#8220;Mozilla\/5.0 (X11; Ubuntu; Linux i686; rv:48.0) Gecko\/20100101 Firefox\/48.0&#8221; <\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Courier New,monospace;\"><span style=\"font-size: small;\">x.x.x.x &#8211; &#8211; [12\/Aug\/2016:04:56:53 -0700] &#8220;GET http:\/\/www.computerhope.com\/recent.js HTTP\/1.1&#8221; &#8211; &#8211; &#8220;http:\/\/www.computerhope.com\/unix\/ugrep.htm&#8221; &#8220;Mozilla\/5.0 (X11; Ubuntu; Linux i686; rv:48.0) Gecko\/20100101 Firefox\/48.0&#8221; <\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">It appears to be working, good. Now what I&#8217;ll do is start a capture to a log file for post analysis. To do that, I&#8217;ll run this command.<\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Courier New,monospace;\"><span style=\"font-size: small;\">sudo urlsnarf -i eth0 &gt; \/home\/user\/Desktop\/URL_20160812A.txt<\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">This does not display any progress on the screen, so this is why I run the initial command to verify all is working first. You can also make a copy of the log file and open it to verify.<\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">After a period of time passes, I&#8217;ll stop the command by issuing a [Ctrl] + [C] key combination. I can open the file in an editor to view it. I typically use nano, use this command.<\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Courier New,monospace;\"><span style=\"font-size: small;\">nano \/home\/user\/Desktop\/URL_20160812A.txt<\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">Up will appear the captured web traffic. Depending on how much traffic traverses the port and the length of time running the capture, finding useful info can be painstaking if done manually. For this reason, I like to issue grep commands to parse out more relivant details and go from there.<\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Courier New,monospace;\"><span style=\"font-size: small;\">grep -c &#8220;ip address&#8221; \/home\/user\/Desktop\/URL_20160812A.txt<\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">This returns the number of lines that are in the log file that have that specific ip address. I could enter in any string in the text to get search results for a number of items, here are some examples:<\/span><\/span><\/p>\n<ul>\n<li class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">Time of day<\/span><\/span><\/li>\n<li class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">domain<\/span><\/span><\/li>\n<li class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">browser type<\/span><\/span><\/li>\n<li class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">file type<\/span><\/span><\/li>\n<\/ul>\n<p class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">It&#8217;s quite nice to see such clear results. <\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">URLSnarf gives great detail about web traffic passing by, but TCPDump is the kitchen sink of packet capture. I would rarely run it on the Rpi for any length of time, especially when logging to a file. You can quickly exhaust your resources with an unabated full packet capture. <\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">Here is a command that will get it all. Remember to hit [Ctrl] + [C] to stop the capture.<\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Courier New,monospace;\"><span style=\"font-size: small;\">sudo tcpdump -i eth0 -s 0<\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">It really is the kitchen sink and the amount of information to sif through would be overwhelming. For that reason, adding filters to the command will let you be more granular in your capture endeavors. The best approach is to capture a short unfiltered event to a log file and get your filters based on those results. Then you can apply them on your subsequent captures.<\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">One last thing I&#8217;d like to point out is that the TCPDump log files can be analyzed post capture. This means you can view them offline, on another system. <\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">As you can see, the Rpi has some really great potential at helping you troubleshoot network packet related issues. Happy caping. <\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\"><b>I&#8217;d like to give credit to the following sites that I referenced for the information in the post.<\/b><\/span><\/span><\/p>\n<ol>\n<li><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">TCP Reassembly &#8211; <a href=\"https:\/\/wiki.wireshark.org\/TCP_Reassembly\">https:\/\/wiki.wireshark.org\/TCP_Reassembly <\/a><\/span><\/span><\/li>\n<li><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">DriftNet Tutorial &#8211; <a href=\"http:\/\/lifeofpentester.blogspot.com\/2013\/10\/driftnet-tutorial-how-to-sniff-images.html\">http:\/\/lifeofpentester.blogspot.com\/2013\/10\/driftnet-tutorial-how-to-sniff-images.html <\/a><\/span><\/span><\/li>\n<li><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">URLSnarf Info &#8211; <a href=\"http:\/\/jermsmit.com\/ettercap-and-urlsnarf-fun\/\">http:\/\/jermsmit.com\/ettercap-and-urlsnarf-fun\/ <\/a><\/span><\/span><\/li>\n<li><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">DriftNet Info &#8211; <a href=\"https:\/\/blackundertone.wordpress.com\/tag\/urlsnarf\/\">https:\/\/blackundertone.wordpress.com\/tag\/urlsnarf\/ <\/a><\/span><\/span><\/li>\n<li><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">Piping TCPDump through SSH &#8211; <a href=\"http:\/\/blog.db-network.de\/tcpdump-piped-through-ssh-and-wireshark\/\">http:\/\/blog.db-network.de\/tcpdump-piped-through-ssh-and-wireshark\/ <\/a><\/span><\/span><\/li>\n<li><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">Network Capture and Analysis &#8211; <a href=\"http:\/\/adaywithtape.blogspot.com\/2010\/03\/network-captures-revisited.html\">http:\/\/adaywithtape.blogspot.com\/2010\/03\/network-captures-revisited.html <\/a><\/span><\/span><\/li>\n<li><span style=\"font-family: Trebuchet MS,sans-serif;\"><span style=\"font-size: medium;\">Packet Sniffing &#8211; <a href=\"http:\/\/noah.org\/wiki\/Packet_sniffing\">http:\/\/noah.org\/wiki\/Packet_sniffing<\/a><\/span><\/span><\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>In this post, I&#8217;ll cover using the Rpi as a network analysis tool. The hardware of the Rpi and the open source software that runs on it is an extremely cost effective method to network diagnostics and troubleshooting. The hardware layout I&#8217;ll be using is fairly simple. The Rpi 3 has built in interfaces for both wired and wireless connections. I&#8217;ll be using the wired connection as my packet sniffing port. It will not have any IP bound to it&#8230;.<\/p>\n<p class=\"read-more\"><a class=\"btn btn-default\" href=\"https:\/\/www.cloudacm.com\/?p=2510\"> Read More<span class=\"screen-reader-text\">  Read More<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10,6,3],"tags":[],"class_list":["post-2510","post","type-post","status-publish","format-standard","hentry","category-data-mining","category-raspberry-pi","category-rd"],"_links":{"self":[{"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=\/wp\/v2\/posts\/2510","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2510"}],"version-history":[{"count":9,"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=\/wp\/v2\/posts\/2510\/revisions"}],"predecessor-version":[{"id":2513,"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=\/wp\/v2\/posts\/2510\/revisions\/2513"}],"wp:attachment":[{"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2510"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2510"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2510"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}