I need to capture the remote addresses that a program connects to and the data that it sends and receives on Win 7. any suggestion for the program I can choose?
Use Wireshark (which includes the libpcap packet capture library). Wireshark provides a packet sniffer GUI and a number of analysis tools that will summarize traffic by endpoint(s), protocols, and other characteristics. http://www.wireshark.org/
Related
Is there an easy way to send and receive BLE raw packets on Linux, e.g. Raspberry Pi devices? Very simply, I would like to use BLE as packet radio, i.e. exchange data packets over the air among several devices. Every device knows the MAC address of all other devices. The BLE packet format is very straightforward. I would think one should be able to put user data into the PDU (2~257 bytes) then push it through a socket to be sent out through the BLE PHY, just like how one can send raw UDP packets through a NIC. But I cannot figure out a straightforward way to achieve this after quite a bit of investigation. I suppose hcitool cmd could send packets if used correctly? But its usage is very cryptic.
The node client/server functions here do exactly this: exchange raw packets via BLE over a network of Pis. See section 3.7 in the documentation for NODE connections.
https://github.com/petzval/btferret
I have an application for linux. I am using SocketCAN to talk to the CAN bus. We are doing this on a Beaglebone Black based device we made ourselves.
We have another device we need to listen to traffic from. This device sends a ton of data way faster than we need it or can process it.
I am trying to figure out a good way to slow down the traffic coming from this device to ours over CAN.
I found the document that talks about using traffic control (tc) for linux. I have been trying the examples and not seeing any difference in the incoming traffic.
Everything I have read about this gives examples about limiting the OUTBOUND traffic from an app to the CAN bus.
My question is whether traffic control (tc) can be used to limit incoming traffic to the kernel (and the apps that are listening)?
If not, then is there another tool that can be used for this?
I am ok dropping a percentage of packets. I assume that would have to happen.
I've been playing around with an ethernet protocol (not IP) constructed using
socket(PF_PACKET, SOCK_RAW, ether_type)
I have a small problem. I've got a packet constructed that has the source and destination mac set to my local cards mac that I've also bound the socket to with bind.
I can receive packets fine from the network.
I'm able to send packets to the degree where I see them appear in wireshark.
However, my listening app doesn't see those packets. It is able to see packets from other sources on the network however.
I should point out that my mac addresses do appear to be being sent in the correct byte order.
Can you send packets to yourself?
Do network cards not loopback?
Does the linux kernel do something special at the IP level for loopback and because I'm below that, ignore me?
Yes, IP "loopback" packets, as you put it, are treated specially. They're looped back internally, not sent out through the interface. So ethernet-level loopback, in this sense, is a special case that doesn't normally need to be supported. Some old 10Mbit ethernet cards were even half-duplex, so it couldn't have worked on that hardware :).
On the other hand, you can buy/make loopback adaptor cables to test network cards. So it must be possible on (hopefully all) modern hardware. And people have used them under linux with AF_PACKET (evidence, though no more details, here).
I guess the next question would be whether your switch supports this. A dumb hub would have to support it, but there's room for a modern switch to get confused. Or maybe disallowing it in fear of an infinite loop of packets.
I have installed Cain and Able in a machine(A). Machine A is connected to another machine via lan(B). Now I want to analyze all the traffic of machine B. Is this possible by installing Cain and Abel on machine A?
EDIT
After truing a bit more - cain and abel is able to sniff packets of the machine B. But the problem is How do I view the packets. It only shows the number of packets captured/sniffed.
Ash,
As we discussed in chat while Cain is a great tool for ARP poisoning , Wireshark is far a better tool for analysis. Good news is when you are using Cain to recieve the ARP poisoned packets you can also use Wireshark and sniff the packets at the same time.
Get the binary here http://www.wireshark.org/
Once you have begun poisoning with cain simply select the same interface you are poisoning from in Wireshark and click start capture. This view will be far superior to what you could see when using Cain.
Of note, know there are other ARP cache poisoning programs out there that are more purpose built for this sort of application. One of the best I have found is ettercap. It will also work very well with Wireshark or any other sniffer you choose to employ.
I hope our discussion helped.
dc
I'm new on work with linux. I want capture the ethernet packets above the device drivers layer.
I know that all the packets pass through the functions "dev_queue_xmit" to transmit the packet to the upper layer and the function "netfi_rx" for recieving the packet.
How can i "hook" this function to control the ethernet traffic?
what should i work with to accomplish this task?
You might want to check out libpcap (a portable C/C++ library for network traffic capture). There is also an example.
You might want to use raw sockets. http://aschauf.landshut.org/fh/linux/udp_vs_raw/ch01s03.html
See also this question