merging tcpdump from two different interfaces - linux

Can you please help me to get an idea, how to do the following requirement?
I have two ethernet ports on a server. Eth0 and Eth1. Both interfaces are carrying traffic. I want to capture packet-dump both of the interfaces and merge into one file.
Thank you
Luke

As the answers to Tcpdump on multiple interfaces provide, which #Marged linked to above, you can run tcpdump (or tshark or dumpcap) specifying -i any as the interface if you don't mind capturing traffic on all interfaces. And if you only want traffic on those 2 specific interfaces, then you can simultaneously run 2 separate instances of the capture tool, one capturing on the eth0 interface, the other capturing on the eth1 interface and then merge the two capture files together using a tool such as mergecap.
Alternatively - and much simpler in my opinion - is to just use a single instance of either dumpcap or tshark to capture traffic on both interfaces to a single capture file with no merging of separate capture files needed at all. As the man pages for those tools indicate, "This option can occur multiple times. When capturing from multiple interfaces, the capture file will be saved in pcapng format."
For example:
tshark -i eth0 -i eth1 -w eth0_eth1.pcapng

Related

Can I intercept network packets with a raw socket (not only sniff)?

This is my first time using raw sockets (yes, I need to use them as I must modify a field inside a network header) and all the documentation or tutorials I read describe a solution to sniff packets but that is not exactly what I need. I need to create a script which intercepts the packet, process it and sends it further to the destination, i.e. the packets should not reach the destination unless my script decides to.
In order to learn, I created a small prototype which detects pings and just prints "PING". I would expect ping not to work as I intercept the packets and I don't include the logic to send them to its destination. However ping is working (again, it seems as it is just sniffing/mirroring packets). My goal is that the ping packets are "trapped" in my script and I don't know how to do that. This is what I do in my current python script (I avoid writing how I do the decode for simplicity)
sock = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.ntohs(0x0003))
sock.bind((eth0, 0))
packet = sock.recvfrom(65565)
decode_eth(packet)
decode_ip(packet)
if (ipheader.ip_proto == 1):
print("\nPING")
Can somebody explain how can I achieve my goal or point me to the right documentation?
Your description seems to be different from what your title suggest. My understanding is that you want to receive, modify and possibly drop incoming network packets. And this is to be done on Linux. In that case I suggest you use a netfilter prerouting hook, which will make things a lot simpler (and likely more stable). Netfilter is well documented, a nice overview including information related to your requirements can be seen here. The important function to use is nf_register_hook(), read the answer to this question to get an idea of how to set things up.
I suppose that your Linux box is configured as a router (not a bridge). The packet will pass through your Linux because you have enabled IP Forwarding. So there are two solution:
Solution 1:
Disable IP Forwarding and then receive the packet from one interface and do the appropriate task (forwarding to another interface or dropping it).
Solution 2:
Use NetFilterQueue.
Install it on your Linux box (Debian/Ubuntu in my example):
apt-get install build-essential python-dev libnetfilter-queue-dev
Use iptables to send packets coming from input interface (eth0 in my example):
iptables -I INPUT -i eth0 -j NFQUEUE --queue-num 1
Run this script to handle packets forwarded to the Queue No.1 :
from netfilterqueue import NetfilterQueue
def print_and_accept(pkt):
print pkt
pkt.accept()
nfqueue = NetfilterQueue()
nfqueue.bind(1, print_and_accept)
try:
nfqueue.run()
except KeyboardInterrupt:
print
Note that pkt.drop() cause dropping the packet. Also you should accept/drop every packet.

tcpdump catching mac and rssi in linux

I'm trying to use a wlan adapter (TP-link TL-WN722N) in monitor mode to pick up RSS from signals in the environment (both beacons and clients). What I would like to do is to get the MAC address and RSS value into my own code somehow (preferably python). I'm planning to use these values for a rough estimate of locations of nearby devices.
I've looked into scapy, but it does not seem to provide RSS values.
tcpdump seems to be able to get both values, but I have been unable to catch client devices.
Is it possible?
If so can I filter MAC and RSS somehow?
I got it working with tcpdump!
To setup a monitor mode adapter, you first need to check which interface to use:
iw list
Select the correct phy (for me its phy1) and create an adapter (I called it moni0):
sudo iw phy phy1 interface add moni0 type monitor
Then add your adapter to the ifconfig:
sudo ifconfig moni0 up
See this guide for more details.
I used the following params for tcpdump to get the values that I needed. (you can pipe the output to your program, main.py in my case):
sudo tcpdump -n -e -tttt -vvvv -i moni0 | python main.py
You can find my project here.

Jumps in firewall rule sets

I have a general question regarding software-based firewalls.
Specifically, I would like to know whether there are other firewalls than iptables
which allow the specification of jumps inside of the rule set.
In iptables, users have the possibility to specify "jumps" inside of the rule set by targeting specific chains when a rule matches on a packet.
For example, in the following rule set
(1) iptables -A INPUT --src 1.2.3.4 -j ACCEPT
(2) iptables -A INPUT --src 1.2.3.5 -j ACCEPT
(3) iptables -A INPUT --src 1.2.3.6 -j ACCEPT
(4) iptables -A INPUT --src 8.8.8.8 -j NEXT_CHAIN
(5) iptables -A INPUT --src 2.2.2.2 -j ACCEPT
(6) iptables -A INPUT --src 2.2.2.3 -j ACCEPT
<NEXT_CHAIN starts here ...>
rule (4) redirects packet processing to another rule set named "NEXT_CHAIN".
In other words, rules (5) and (6) are skipped (in some sense, if there is a match in NEXT_CHAIN).
I think this is also possible in iptables' predecessor ipchains.
Do you know whether there are any other firewalls that provide a similar feature?
The other main competitor to iptables is pf, which has similar capabilities to iptables.
Linux firewalls are built around Netfilter; the kernel's network packet processing framework which is made of several kernel modules performing specific tasks like:
The FILTER module (always loaded by default) mainly allows us to ACCEPT or DROP IP packets based on a certain matching criteria.
The NAT module set allows us to perform Network Address Translations (SNAT, DNAT, MASQUERADE).
The MANGLE module allows us to alter certain IP packet fields (TOS, TTL)
Users configure the Netfilter framework ("kernel mode") to suit their firewall needs using iptables which is an "userland" application run from the command line. With iptables we define rules that instruct the Linux kernel what to do with IP packets when they arrive into, pass through, or leave our Linux box.
All the Linux based firewalls are based in Netfilter and most of them use iptables as a way to control Netfilter.
Different technologies use a similar strategy; i.e. in BSD (OpenBSD) the kernel module is called PF (Packet Filter) an the "userland" application for controlling PF is called pfctl
Depending what technology you use you have one or the other; both systems do basically the same and of course they both can perform the jumps you mention. Remember a firewall in Linux or BSD is just a set of rules loaded by the corresponding userland application which set the behavior of the corresponding net traffic control kernel engine.
also consider when you jump into a user defined chain you can also "return"
I did some research on other packet filtering systems, and I found out the following:
OpenBSD's pf can implement some sort of control using conditional anchors:
EXAMPLE: anchor udp-only in on fxp0 inet proto udp
The OpenFlow switch provides direct jumps by using GOTO targets
NetBSD's ipfw provides the skipto action
Each of these features allows to modify the control flow during packet classification and can be used to implement JUMP semantics.

Live packet capture on linux

I would like to know if there is any possibility to live capture network packets and save it to a variable for example in python.
I need some information to get from it and not to save it to a file.
I need to capture http packets and get source addres and its content, which should be a html code, to extract only text from it and then do the rest of the job on that information.
There is no reason to save every packet to a file because whole process would be more slower. I was looking for quite a long time for any tool to do this but no success.
Please, if you know any tool that could help me to do this, write about it.
I'm sure you have seen this link about a library to process PCAP files. Now the question is how to acquire in real time without storing in a file.
Probably easiest is to use a fifo
$ mkfifo /tmp/tcpdump.fifo
Now you can capture and feed data into the named fifo
$ sudo tcpdump -s0 -i eth0 -f /tmp/tcpdump.fifo tcp port 80
And in your python program you can open '/tmp/tcpdump.fifo' as the input file as per the instructions in the link.
Alternatively you can try opening '/dev/stdin' in your program and reading the data from there; you could then pipe the PCAP data straight into stdin using the shell and skipping the intermediate named fifo.
$ sudo tcpdump -s0 -i eth0 -f - tcp port 80 | ./youprogram.py

measuring TX retransmission amount per interface

i'm trying to get the TX re-transmission amount for a specific network interface on a Linux 2.6.33.3 kernel.
is there any Linux raw data i can use in order to get/calculate this kind of information?
i've tried netstat, but i couldn't find a way to get the retransmissions value for a specific interface.
with no other "quick" choice, what would it require from me in order to build a small app especially for that? listen to all outgoing packets using any capturing library and count.. what? duplicate packets? by some kind of a packet id?
i'm not a network pro.. am i suppose to find troubles in this kind of mission? (btw, i'll probably try to do it with python. any reason why not to?)
You can check how your interface is configured with the following commands:
mii-tool eth0
ethtool eth0
mii-diag eth0
Not all of them are installed by default in any Linux system, but they are definitely in the distributive and installable.
When you want to measure, how fast is your interface really, you can use dd + netcat:
host1$ cat /dev/zero | nc -l -p 3000
host2$ nc host1 3000 | dd of=/dev/null
^C
dd will write you with which speed was the retransmission between host1 and host2.
If you want per interface, try ifconfig eth0, you probably have what you want there. Just parse it through python.

Resources