Wireshark / tshark
How to capture and analyze network traffic using either Wireshark (it has a GUI), or tshark (command line only), and/or using tshark on a remote host to dump stuff you can analyze on your laptop running Wireshark.
apt-get install tshark |
Usually you use tshark to get a bunch of packets of a certain type and then write them to a file, because there’s a whole ton of results usually returned and it will just blur by on the screen, and usually that helps you find the culprit packets easier. To do this, you use a thing called a filter with the command, and then direct the output to a file like:
tshark -f "ip.addr == 10.0.0.12" -i eth0 -w /some/path/afileyoulldissectlater.cap |
this means look for traffic either go to or from 10.0.0.12 across eth0 and write it to /some/path/afileyoulldissectlater.cap.
The magic is really in the filters, so you have to find a few filters you’ll most commonly use (of course, google is your friend here) like:
| filter | what it does |
| tcp.analysis.retransmission | looks for stuff that’s slowing down the network |
Use Wireshark to get traffic from a remote server
If your laptop is Linux running Wireshark, you probably want to view traffic on some servers somewhere, which you can do over a ssh tunnel. On your SERVER you have to set up a promiscuous interface, in this case I’m setting up eth1 to listen to traffic, and eth0 as your main interface. Do something like:
ifconfig eth1 promisc up vi /etc/network/interfaces/ (add these next lines to the end of the file) auto eth1 iface eth1 inet manual up ifconfig eth1 promisc up down ifconfig eth1 promisc down |
Now it will stay configured after you reboot (which you don’t need to do now). Now do:
apt-get install tcpdump vi /etc/ssh/sshd_config PermitRootLogin yes AllowUsers normaluser otheruser root@lap.top.i.p (or you can do sudo if you want) /etc/init.d/ssh reload |
MAKE SURE YOU CAN STILL login remotely before disconnecting, or you’ll be locked out.
Now go to your LAPTOP (Debian Jessie running KDE here, but others should work) and set up automatic root login to your SERVER like:
ssh-keygen -t dsa -f ~/.ssh/id_dsa -C "yourusername@laptop's_IP_or_hostname.com" cat ~/.ssh/id_dsa.pub | ssh yourusername@server.ip.or.hostname 'cat - >> ~/.ssh/authorized_keys' ssh-add ssh root@ser.ver.i.p |
It *shouldn’t* ask you for a login, if it does, stop and fix that or the rest won’t work right.
Now set up your pipe to your server/fifo by doing this on your LAPTOP:
su chgrp whatevernormaluseris /usr/bin/dumpcap mkdir /tmp/pipes mkfifo /tmp/pipes/cap_fw ssh root@ser.ver.i.p "tcpdump -s 0 -U -n -w - -i eth1 not port 22" > /tmp/pipes/cap_fw |
Now open up another terminal on your LAPTOP as your normal user and run wireshark to get data from your new tunnel like:
wireshark -k -i /tmp/pipes/cap_fw |
That should open up Wireshark on your desktop and start receiving a ton of packets from your server, which should start scrolling past on your screen.
Gotcha’s
If you get an error like:
end of magic pipe |
It means your ssh connection to the remote server didn’t work, so fix that and try again.
finding problems with Wireshark
Noisy hosts:
To show only the duplicate ACKs use the filter
tcp.analysis.duplicate_ack |
To sort by the host sending the mot of them I’d select Satistics > conversations > IPv4 from the menu bar, and check the “limit to display filter” box in the bottom left. You can then chose to sort by either the number of bytes or the number of packets for each pair of communicating hosts to determine who your “noisiest” hosts are. Do this by clicking the column heading.
It is helpful to select Follow Conversation to re-assemble a session you’re seeing one packet of.
Helpful resources:
Write a comment
You need to login to post comments!