I am doing a wireless experiment which used a tp-link router WR1043ND flashed OpenWrt system. Because I need to catch packages through the router, I need to install the tcpdump software.
I just used the command "opkg install tcpdump" to install it, and the terminal showed installation successful.
But when I entered "tcpdump" command, I got a failure prompt which showed that
-ash: tcpdump: not found
So I try to know whether the tcpdump was installed. I entered as following:
opkg list | grep tcpdump
the result after filter showing:
openvswitch-ovs-tcpdump - 2.8.1-1 - Dump traffic from an Open vSwitch port using tcpdump
openvswitch-ovs-tcpundump - 2.8.1-1 - Convert ``tcpdump -xx`` output to hex strings
pcapsipdump - 0.2-1 - pcapsipdump is a tool for dumping SIP sessions (+RTP traffic, if available) to disk in a fashion similar to "tcpdump -w" (format is exactly the same), but one file per sip session (even if there is thousands of concurrect SIP sessions).
tcpdump - 4.9.2-1 - Network monitoring and data acquisition tool
tcpdump-mini - 4.9.2-1 - Network monitoring and data acquisition tool (minimal version)
tcpreplay - 4.2.5-1 - tcpreplay is a tool for replaying network traffic from files saved with tcpdump or other tools which write pcap(3) files.
Obviously, the installation was successful.
I really hope somebody can help me handle this question, thanks!
Related
I have a PC A where LTTng tracing is running with live view
lttng create trace-session --live
# Traces will be output to tcp4://127.0.0.1:5342/ [data: 5343]
Another PC B is directly connected with A with a Ethernet cable. At the same time, B is connected to a local network.
Now how can I view the live trace events from a third PC C, which is in the same local network as B, for example with
babeltrace2 "net://${B_IP}/host/${B_HOSTNAME}/trace-session"
I ran the following command on PC C, to make a tunnel to PC *A.
ssh -L 5342:${A_IP}:5342 -N user_name#${B_IP}
However, it seems not to have worked. I would like to ask:
What have I done wrong here?
What is the standard way to "forward" LTTng live tracing events to be viewed by babeltrace2?
Babeltrace2 connects to lttng-relayd using the live port of the lttng-relayd process not the data and control ports.
When the command line report the following:
# Traces will be output to tcp4://127.0.0.1:5342/ [data: 5343]
It means that the lttng-sessiond and lttng-consumerd process will communicate with a lttng-relayd process listening on the 127.0.0.1:5342 for control message and 127.0.0.1:5343 for trace data exchange. A viewer, in this case Babeltrace2 can connect to the live port of a lttng-relayd process to stream live session. You can take a deeper look at the component graph here.
The default live port is 5344 and the default behavior for the lttng-relayd process is to bind on all interfaces to listen. Naturally Babeltrace2 also default on using that port if none is specified to communicate with the lttng-relayd process.
See the man page of lttng-relayd for more details.
What have I done wrong here?
In your scenario you need to tunnel the 5344 port. Note that I'm not versed in ssh tunneling so I cannot validate the ssh approach here.
ssh -L 5344:${A_IP}:5344 -N user_name#${B_IP}
What is the standard way to "forward" LTTng live tracing events to be viewed by babeltrace2?
Babeltrace2 and lttng-relayd use TCP for communication. Hence, all TCP "forwarding" methods are acceptable here. As you probably noticed, LTTng does not encrypt communication and trace data in any way. I would say that using a ssh tunnel is appropriate here if you need to move data across non-trusted network.
I'm training myself on network scanning and i'm focusing on how to identify a sniffer on my net.
Searching on the web, i find that a possible way is the ARP method: i must send an ARP request to a suspect no broadcast IP to check if it's in promiscuous mode.
My doubt is: if my pc is a Windows 7 machine, is there a way to send manually an ARP resuest? Possibly from command line?
You can use tools like nmap.
nmap -sP -PR <IP address/subnet>
For windows you can use the GUI version of nmap - zenmap.
You can use this version of arping for Windows. If you want an already compiled executable you can find it Here (under the "examples" folder).
Usage:
Arping.exe -i <IP_ADDRESS_OF_YOUR_INTERFACE> -T <TARGET_IP_ADDRESS>
another simple way:
ping TARGET_IP_ADDRESS
then
arp -a
the TARGET_IP_ADDRESS shall be shown as type dynamic.
So basically I'm trying to scan web servers that run for example version apache 2.2.4 on their web server, what's the best way of doing this?
Scan for IP's range from blah blah to blah blah, with port 80 open + web server enabled then just make a script that loads ips and checks to see if they have the server banner i want.
Or what's an alternative faster way?
Basically I'm trying to make a script like ShodanHQ.
I'm trying to get a large amount of web servers running a certain version, can anybody give me a direction, thanks hope i was clear.
For doing Internet-wide surveys like Shodan or Scans.io, you need very-high-bandwidth access, legal approval (or at least a blind eye turned) from your ISP, and likely an asynchronous scanner like Zmap or masscan. Nmap is a decent alternative with the --min-rate argument. Anything using the default TCP stack on your OS (e.g. curl, netcat, or Perl solutions) will not be able to keep up with the high packet volume and number of targets required.
If, however, you want to scan a smaller network (say a /16 with 65K addresses), then Nmap is up to the job, requires less setup than the asynchronous scanners (since they require firewall settings to prevent the native TCP stack from responding to returned probes), and is widely available. You could get reasonable performance with this command:
sudo nmap -v -T5 -PS80 -p80 -sS --script http-server-header -oA scan-results-%D%T 10.10.0.0/16
This breaks down to:
-v - verbose output
-T5 - Fastest timing options. This may be too much for some networks; try -T4 if you suspect lost results.
-PS80 - Only consider hosts that respond on port 80 (open or closed).
-p80 - Scan port 80 on alive hosts
-sS - Use Nmap's half-open SYN scan, which has the best timing performance
--script http-server-header - This script will grab the Server header from a basic GET request. Alternatively you could use http-headers to get all headers, or use -sV --version-light to do basic version detection from probe responses.
-oA scan-results-%D%T - Output 3 formats into separate timestamped files. You can process results with one of the many tools that imports Nmap XML output.
You could use curl and sed:
curl -sI 'http://192.0.2.1' | sed -n 's/^Server:[[:blank:]]*//p'
Call it from perl with:
perl -e '$server=`curl -sI 'http://192.0.2.1' | sed -n 's/^Server:[[:blank:]]*//p'`; print $server'
The -I option in curl prints the http headers using a HEAD request.
I am testing handling for socket timeout conditions - for example, connection timeout, connect but no accept, accept but won't read, etc.
I'm looking for a program/script that will act as a server socket producing these effects.
This "hung socket simulator" needs to run on Mac OS (or Linux).
I found one called Bane: https://github.com/danielwellman/bane.
I think the powerful tool socat might be helpful here, it can redirect the request to the real endpoint and thus, you can have full control to the socat process itself to simulate what you want (like suspending the process at certain phase by kill -stop or so)
one of my use cases is that I just want my client app to finish the handshake with the remote service but read no more data:
socat -d -d -d TCP-LISTEN:22181,fork SYSTEM:'socat - "TCP:the-remote-host:2181" \| dd bs=1 count=50' &
the above example only send the first 50 bytes of the response back.
Why don't you just start your client program on your dev machine and when you want the TimeOut to appear, just unplug your network cable.
I have written a small client server socket application. It is a proof of concept for some socket programming that I want to apply to a much bigger project.
For the moment I want to user wireshark to analyse the traffic that goes between them. They are both running on my local machine.
I have installed a loopback interface, and have tried to use wireshark with it.
No joy. Any ideas?
I have successfully analysed traffic between my machine and other machines no problems.
I have had a look here,
http://wiki.wireshark.org/CaptureSetup/Loopback
And I am not using the address 127.0.0.1 which they mention saying you can't capture traffic on 127.0.0.1
Thanks.
You might try creating a virtual machine to run your application and using wireshark on it.
Save yourself some grief and download Microsoft Network Monitor.
As good as Wireshark is on Unixen, Windows is a "special" case :)