| 1 |
On 7 October 2010 10:37, Stroller <stroller@××××××××××××××××××.uk> wrote: |
| 2 |
> Hi there, |
| 3 |
> |
| 4 |
> I'm interested in the activity of an application which is running on my LAN, and was wondering if anyone could offer some quick pointers on the best tools for this these days. I've played with this some years ago, but only very superficially - I think I used wireshark back then. |
| 5 |
> |
| 6 |
> Ideally what I want to do is capture a big dump of the traffic over a couple of minutes (so it shouldn't be that much, right?) into a file and then analyse it afterwards based on destination IP, content &c. A couple of minutes should allow completion of at least 2 or 3 separate interactions with the server. |
| 7 |
> |
| 8 |
> The network is mine, as is the device from which I'm capturing the data. I have a Belkin F5D7010 wifi card, which I think is based on a RaLink rt2x00 (rt2400 / rt2500) chipset, and I have my network's WPA key, so I think I can just set the wifi card in passive mode for sniffing. I'm pretty sure I experimented with this card in passive mode before, some years ago. Alternatively, I think I can plug the wifi access-point into my PC, bridge it to a second wired NIC and sniff what's going across the bridge (but I don't think this should be necessary). |
| 9 |
> |
| 10 |
> What I'm expecting to see is some image, audio & html files &/or xml data transferred, and ideally I'd like to be able to extract it all and view it in its original format. |
| 11 |
> |
| 12 |
> There's likely to be some inevitable other activity on the wLAN whilst this is happening - I'll try to minimise this, but I think the tools should be able filter out any crap I'm not interested in, right? |
| 13 |
> |
| 14 |
> I'd prefer as much as possible to use CLI tools for capturing / analysing the data. |
| 15 |
|
| 16 |
By passive I assume you mean promiscuous? |
| 17 |
|
| 18 |
Since you prefer CLI you can use tcpdump and tcpflow. tcpdump will |
| 19 |
place your card in promiscuous mode - if you only want to see what's |
| 20 |
addressed to your machine use the -p switch. To avoid truncating the |
| 21 |
packets increase the size of the packets captured e.g. -s 65535 and |
| 22 |
also add some detail -XX to see the payload. Altogether something |
| 23 |
like this should work: |
| 24 |
|
| 25 |
tcpdump -i wlan0 -e -l -U -vvv -s 65535 -w tcpdump_cap.txt -XX |
| 26 |
(switch -w for -r to read what you've captured). |
| 27 |
|
| 28 |
You can use the -T <protocol> option to only capture/read a particular |
| 29 |
protocol. I rarely specify this. |
| 30 |
|
| 31 |
tcpflow -i wlan0 -c -p -s -v |
| 32 |
|
| 33 |
With tcpflow you can specify the protocol (e.g. proto arp) to capture |
| 34 |
only particular packets as well. |
| 35 |
|
| 36 |
Hope this helps. |
| 37 |
-- |
| 38 |
Regards, |
| 39 |
Mick |
Archives