![]()
|
There are times when you may want more detail as to what is happening on your network. Wireshark is an excellent tool to sniff the network, and see what packets are flying by. But it isn't the only tool for network diagnostics.
There is a text-based companion program, tshark
which will allow you to sniff the network, but in a terminal (character-based). tshark
has the advantage of making it easy to copy/paste packet decodes into other media (such as email).
An of course, there is tcpdump
which has been around for decades, but is still a very useful tool, which runs just about everywhere.
We have covered Wireshark in 2019, and it is still a good tutorial. Packet filtering can be performed at capture time (using tcpdump
syntax) or once packets have been captures, aka display filtering.
Wireshark will happily sniff the network you are on, but what if you need to look at a network your laptop is not directly connected. How would you do that?
Option A: Install tcpdump
or tshark
on a remote machine attached to the remote network, and then sniff interactively, or write pcap files, and scp
the pcap files back to your laptop.
Option B: Use the remote sniffing capability built into Wireshark. This is the option we will be demonstrating into the lab today.
In order to perform remote sniffing with Wireshark, one needs the following:
tcpdump
installedssh
and root loginOpenWrt routers are perfect for remote sniffing, since they meet the requirements (above) and routers tend to funnel traffic, which means you will see more in the packet capture.
wireshark
, you may need to re-login, or start a new shellssh keys
, in the lab we will use simple passwords
not port 22
If it is all working correctly, you should see packets showing up in Wireshark.
As you can see above, there are a few steps to follow to use this technique. The most common error I have run into is this one:
The important part is right at the end: "Can't find a valid authentication. Disconnecting." This usually means that wireshark has forgotten the password, and it needs to be re-entered.
Start wireshark, using SSH Remote capture, capture at least 10 packets Use the following information to:
Attempt/Answer the following:
Although OpenWrt routers are great network probes, the interfaces differ depending on the HW manufacturer of the router. There will always be a br-lan. However if you want to sniff the upstream interface, you will need to know the device name (e.g. eth0 or eth0.2, etc). The only reliable way to determine this is to log into the router and use the ip addr
command to see the other interface with IP addresses (other than br-lan)
The downside of the technique is that one needs root access on the remote host. Only root can do a promiscuous sniff of an interface. But setting up ssh keys
will make this remote root login more secure. OpenWrt support ssh keys
via the web interface (LuCI).
This is just another tool in your examination of Penetration Testing. Being able to capture packets on a remote network will help you debug network issues that much quicker. Proactively creating a network with probes, ready to remote sniff, will make fixing network issues even faster.
Notes:
ssh-keygen -t rsa -f wireshark -C Wireshark
wireshark.pub
public key on the OpenWrt router (via the web management page)wireshark
in the "ssh remote capture" dialog click on the "Path to SSH private key" and find the wireshark
private key file. 24 April 2024