Saturday, 21 June 2014

Using Wireshark to evaluate a packet capture

The tool Wireshark is a fantastic tool for both capturing traffic and evaluating traffic. I typically capture traffic using the Linux command line tool 'tcpdump' but like to use Wireshark for evaluation. In this post I will be focusing on evaluation of packet captures.

If you can quickly view packets of interest e.g. insecure http connections you can right click on the packet and select 'Follow TCP Stream' which can quickly show you the traffic flow.

With a packet capture you have open in Wireshark there is a Filter box along the top which you can use to find packets of interest. I find the filter 'frame contains <search term>' can yield interesting results e.g.

frame contains Password
frame contains password
frame contains login
frame contains

Another method for example to ensure a password is not being sent over clear text is to in Wireshark select Edit -> Find Packet and in the resulting window :

  • Select String under Find
  • In the Filter field enter a password of interest e.g. secret
  • Under 'Search In' select 'Packet bytes'
  • Select Find

At the very bottom of the screen if you see 'No packet contained that string' all is good and your password was encrypted before being sent over the network :)

Note : this tool should not be used in a malicious way. It should only be used to ensure your own environment is safe where you have permission to run it e.g. your local network. 

OpenWrt tcpdump packet captures for traffic evaluation

Its really useful to be able to capture traffic on your local network. One common use case would be capturing traffic from a mobile application that you believe may _not be secure. With OpenWrt as our router we can install and use tcpdump to capture the traffic.

I have created a non root account as is best practise to many commands will require 'sudo' to enable the correct privileges.

First we need to update the package manager then install tcpdump :

$ sudo opkg update
$ sudo opkg install tcpdump

Now we can run tcpdump and capture the traffic in a file for evaluation.

Run ifconfig to identify the bridge on your network which typically will have teh IP address :

$ ifconfig

In my case the adaptor is  'br-lan ' which the devices being provisioned by OpenWRT route through.

Check the amount of free disk space you have before writing to file. In this example I have sufficient free space in /tmp.

$ df -h

We can now run a packet capture as the sudo user with the following example syntax changing  'Host IP address' to the IP of your device e.g. phone and 'nameof capture' as an appropriate name.

$ sudo tcpdump -i br-lan -vvv host <Host IP address> -w <nameof capture>.pcap

Generate some network traffic on your device and when complete  press 'Ctrl + C'.

You can then scp the file to your PC for evaluation using a tool like wireshark. Example syntax :

$ scp <nameof capture>.pcap user@<PC IP>:~/tmp

On Arch Linux you can install wireshark with

$ pacman -S wireshark-gtk