[mythtv-users] Packet sniffing consumer electronic devices

Jay Ashworth jra at baylink.com
Mon Nov 25 15:53:02 UTC 2013


----- Original Message -----
> From: "Simon Hobson" <linux at thehobsons.co.uk>

> Then came switches. Apart from broadcast and multicast traffic, the
> only traffic you will see one a port is traffic addressed to your MAC
> - everything else just doesn't show up. With a basic unmanaged switch,
> this is not fixable - so in a typical home or small business network
> with basic switches you cannot sniff traffic this way - hence why I
> keep an old hub around !
> With managed switches, there is usually a facility to mirror traffic
> on one port to another port. Capabilities vary, but as a minimum is
> should allow you to copy all traffic to/from one port (the monitored
> port) to the monitoring port. You can now plug yourself into this
> monitoring port and see all the traffic on the monitored port.

The HP 2626 does this nicely (the 4900B model is recommended to avoid 
10/100 problems, and is generally findable on eBay for *well* under 
$100, compared to the $7-800 they are new; and they have a full lifetime
warranty).

> 2) Capturing the packets
> For this you need a sniffer. There are several, my personal preferred
> choice is Wireshark (or more normally as I usually work on headless
> machines, the text only Tshark), another that comes to mind is Pcap.
> With tshark, you can apply capture filters and either dump the packets
> to a file for later analysis, or display them in real time (either as
> a 1 line summary, or a verbose decode). Eg, you could specify "host
> 192.168.1.123 and host 192.168.1.1 and port 80" to limit the capture
> to only port 80 (HTTP) traffic between those two machines. "port 67 or
> port 68" will get you DHCP traffic. "not ether host aa:bb:cc:dd:ee:ff"
> will exclude traffic from a specific device - I use this to avoid
> getting traffic from my own laptop (you shoudl see how chatty OS X is
> !) if the filters I'm using won't exclude it anyway.

I'm pretty sure tcpdump (available in most OS repos even if Wireshark is
not) will make you a pcap file that WS can read on whatever machine you
want to read it on -- hell, there are PCAP and micro-Wireshark clones for
*Android*...

> AIUI not all network cards are capable of this as it needs them to
> support promiscuous mode - though I've not met this limitation myself
> (including capturing from a VM hosted under Xen - most of my systems
> are virtual now).

It's pretty uncommon these days to find an Ethernet underface less than 10
years old that won't do promisc, in my experience.  WLAN interfaces, 
somewhat less so.

> And for completeness, there are hardware devices with such
> capabilities. I believe some of the higher end Fluke network testing
> kit can do this, but I'm not likely to ever have access to such stuff
> !

Not for $20k and up, no.  Nice gear though.

> 3) Displaying the results
> With Wireshark, you can display the results as you capture packets, or
> you can load a file you captured separately - so it's possible to
> capture packets from a remote system, copy the file to your local
> machine, and then analyse them. Wireshark is much more useful (in some
> respects) than Tshark as you can select which parts of packets to
> display, sort them, select conversations (ie related packets from one
> connection) and so on.

The approach to this is generally to look at "flows"; sessions between the
internal device and whatever it sees fit to talk to.  If it starts talking
to things you might not have expected, on ports you didn't expect (tcp/123
for example is NTP, a relatively benign thing for a consumer electronic
device to talk on), then it's time to investigate further.

Cheers,
-- jra
-- 
Make Election Day a federal holiday: http://wh.gov/lBm94  100k sigs by 12/14

Jay R. Ashworth                  Baylink                       jra at baylink.com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA               #natog                      +1 727 647 1274


More information about the mythtv-users mailing list