Post on 15-Jul-2015
Software Setup
1. Install software:
● sudo pacman -S wireshark-qt wireshark-
cli
● sudo pacman -S wireshark-gtk
2. only group “wireshark” can capture traffic:
● sudo usermod -a -G wireshark topdemo
ZMTP protocol Dissector
https://github.com/whitequark/zmtp-wireshark
mkdir -p ~/.wireshark/plugins
git clone git://github.com/whitequark/zmtp-wireshark~/.wireshark/plugins/zmtp-
wireshark
list installed plugins[luke@rmbp pubsub]$ tshark -G plugins
mate.so 1.0.0a dissector /usr/lib/wireshark/plugins/1.12.3/mate.so
opcua.so 1.1.0 dissector /usr/lib/wireshark/plugins/1.12.3/opcua.so
irda.so 0.0.6 dissector /usr/lib/wireshark/plugins/1.12.3/irda.so
m2m.so 1.1.0 dissector /usr/lib/wireshark/plugins/1.12.3/m2m.so
wimax.so 1.1.0 dissector /usr/lib/wireshark/plugins/1.12.3/wimax.so
ethercat.so 0.1.1 dissector /usr/lib/wireshark/plugins/1.12.3/ethercat.so
docsis.so 0.0.5 dissector /usr/lib/wireshark/plugins/1.12.3/docsis.so
stats_tree.so 0.0.1 tap /usr/lib/wireshark/plugins/1.12.3/stats_tree.so
wimaxmacphy.so 0.0.1 dissector /usr/lib/wireshark/plugins/1.12.3/wimaxmacphy.so
wimaxasncp.so 0.0.1 dissector /usr/lib/wireshark/plugins/1.12.3/wimaxasncp.so
unistim.so 0.0.2 dissector /usr/lib/wireshark/plugins/1.12.3/unistim.so
gryphon.so 0.0.4 dissector /usr/lib/wireshark/plugins/1.12.3/gryphon.so
profinet.so 0.2.4 dissector /usr/lib/wireshark/plugins/1.12.3/profinet.so
zmtp-dissector.lua lua script /home/luke/.wireshark/plugins/zmtp-wireshark/zmtp-dissector.lua
List Network Interface[luke@rmbp wireshark]$ tshark -D1. wlp3s02. vmnet13. vmnet84. any5. lo (Loopback)6. bluetooth07. bluetooth-monitor8. nflog9. nfqueue10. dbus-system11. dbus-session12. usbmon113. usbmon2
ZeroMQ Protocolshttp://rfc.zeromq.org/
● 37/ZMTP - ZeroMQ Message Transport Protocol
http://rfc.zeromq.org/spec:37
ZMTP: Bird Eye View
Greeting
Command
Message
negotiate protocol version;
negotiate security mechanism
protocol (pub/sub,req/rep etc) session
creation
data (a.k.a “Frame”)
wireshark structure
NIC
libpcap capture filter capture buffer display filter GUI
capture log file
“host 192.168.0.1”
“tcp dst port 4000”
“ ip.dst eq www.mit.edu
ip.src == 192.168.1.1”
capture filter: performance
man pcap-filter
primitive = qualifiers + id
Qualifier: type/direction/protocol
“tcp dst host 192.168.0.1”
display filter
man wireshark-filter
● feature rich
● low performance
“tcp.port == 80 and ip.src == 192.168.2.1”
a capture session
pub
(localhost:400
0)
sub
(localhost:400
0)
void *ctx = zmq_ctx_new();
void *pub = zmq_socket(ctx,ZMQ_PUB);
zmq_bind(pub,"tcp://*:4000");
while (count<3000000)
{
rc=snprintf(buf,1024,"%s %d","PUB-A:",count);
rc=zmq_send(pub,buf,1024,0);
rc=snprintf(buf,1024,"%s %d","PUB-B:",count);
rc=zmq_send(pub,buf,1024,0);
nanosleep(&tm,NULL);
count++;
}
PUB-A
PUB-B(1K)
PUB-A(1K)
void *ctx = zmq_ctx_new();
void *sub = zmq_socket(ctx,ZMQ_SUB);
zmq_connect(sub,"tcp://127.0.0.1:4000");
char *top1 = "PUB-A:";
opt_len=(size_t)strlen(top1);
zmq_setsockopt(sub,ZMQ_SUBSCRIBE,top1,opt_len);
while (1)
{
rc=zmq_recv(sub,buf1,1024,0);
count++;
}
statistics
[topdemo@king ~]$ tshark -i eno1 -w quote.pcap -a filesize:102400 tcp port 10001[topdemo@king ~]$ wireshark quote.pcap
Remote Capture with ssh
Remote enp3s0
tshark -i enp3s0 -F pcap -w -
Local
wireshrk -k -i -
ssh remote
ssh -T remote "tshark -i enp3s0 -F pcap -w - " | wireshark -k -i -
Explanation
1. SSH -T
"-T" : don't not assign pty
Since we use ssh as a pipe and we do not has
any interactive commands during ssh session,
we do not need a pseudo pty
Explanation
2. ssh remote
We need to setup up a public key login with
ssh, so no username/password needed cat ~/.ssh/config
Host remote
HostName xx.xx.xx.xx
Port 22
User xxxx
IdentityFile ~/.ssh/remote.pem
Explanation
3. tshark -i enp3s0 -F pcap -w -
-F: pcap
only "pcap" format is supported via remote
capture, not "pcapng"(the default)
-W - : write capture traffic to stdout