June 15, 2024

Wireshark / tshark

How to capture and analyze network traffic using either Wireshark (it has a GUI), or tshark (command line only), and/or using tshark on a remote host to dump stuff you can analyze on your laptop running Wireshark.

apt-get install tshark

Usually you use tshark to get a bunch of packets of a certain type and then write them to a file, because there’s a whole ton of results usually returned and it will just blur by on the screen, and usually that helps you find the culprit packets easier. To do this, you use a thing called a filter with the command, and then direct the output to a file like:

tshark -f "ip.addr ==" -i eth0 -w /some/path/afileyoulldissectlater.cap

this means look for traffic either go to or from across eth0 and write it to /some/path/afileyoulldissectlater.cap.

The magic is really in the filters, so you have to find a few filters you’ll most commonly use (of course, google is your friend here) like:

filter what it does
tcp.analysis.retransmission looks for stuff that’s slowing down the network

Use Wireshark to get traffic from a remote server

If your laptop is Linux running Wireshark, you probably want to view traffic on some servers somewhere, which you can do over a ssh tunnel. On your SERVER you have to set up a promiscuous interface, in this case I’m setting up eth1 to listen to traffic, and eth0 as your main interface. Do something like:

ifconfig eth1 promisc up
vi /etc/network/interfaces/ (add these next lines to the end of the file)
  auto eth1
  iface eth1 inet manual
        up ifconfig eth1 promisc up
        down ifconfig eth1 promisc down

Now it will stay configured after you reboot (which you don’t need to do now). Now do:

apt-get install tcpdump
vi /etc/ssh/sshd_config
  PermitRootLogin yes
  AllowUsers normaluser otheruser root@lap.top.i.p (or you can do sudo if you want)
/etc/init.d/ssh reload

MAKE SURE YOU CAN STILL login remotely before disconnecting, or you’ll be locked out.

Now go to your LAPTOP (Debian Jessie running KDE here, but others should work) and set up automatic root login to your SERVER like:

ssh-keygen -t dsa -f ~/.ssh/id_dsa -C "yourusername@laptop's_IP_or_hostname.com"
cat ~/.ssh/id_dsa.pub | ssh yourusername@server.ip.or.hostname 'cat - >> ~/.ssh/authorized_keys'
ssh root@ser.ver.i.p

It *shouldn’t* ask you for a login, if it does, stop and fix that or the rest won’t work right.

Now set up your pipe to your server/fifo by doing this on your LAPTOP:

chgrp whatevernormaluseris /usr/bin/dumpcap
mkdir /tmp/pipes
mkfifo /tmp/pipes/cap_fw
ssh root@ser.ver.i.p "tcpdump -s 0 -U -n -w - -i eth1 not port 22" > /tmp/pipes/cap_fw

Now open up another terminal on your LAPTOP as your normal user and run wireshark to get data from your new tunnel like:

wireshark -k -i /tmp/pipes/cap_fw

That should open up Wireshark on your desktop and start receiving a ton of packets from your server, which should start scrolling past on your screen.
If you get an error like:

end of magic pipe

It means your ssh connection to the remote server didn’t work, so fix that and try again.

finding problems with Wireshark

Noisy hosts:

To show only the duplicate ACKs use the filter


To sort by the host sending the mot of them I’d select Satistics > conversations > IPv4 from the menu bar, and check the “limit to display filter” box in the bottom left. You can then chose to sort by either the number of bytes or the number of packets for each pair of communicating hosts to determine who your “noisiest” hosts are. Do this by clicking the column heading.

It is helpful to select Follow Conversation to re-assemble a session you’re seeing one packet of.

Helpful resources:

wireshark remote capturing