ECE497 Project WireShark

Team members: Ben Paras,  Manuel Stephan

Grading Template
I'm using the following template to grade. Each slot is 10 points. 0 = Missing, 5=OK, 10=Wow!

 10 Executive Summary - Good. I did some minor clean up 10 Installation Instructions - Nice and clear. Good step-by-step 10 User Instructions - Nice pictures. 10 Highlights - Nice video, but a bit long. 09 Theory of Operation - An intro paragraph at the start would help. 10 Work Breakdown - Nice timeline 10 Future Work - Good 10 Conclusions 10 Demo 00 Late Comments: Very well done project. You learned early you couldn't compile for the Bone, so you had plenty of time to try a plan B. Well done!

Score: 99/100

Executive Summary
We want to monitor and analyze any network traffic on the BeagleBone. Initially we wanted to port wireshark on to the bone, but after much experimentation and research, we decided to implement a different approach. We are currently able to monitor traffic on usb0 and eth0 on the BeagleBone using tcpdump on the BeagleBone and wireshark on the host computer. As a demonstration, we are able to see if anyone is accessing the BeagleBone via port 3000 (cloud9 IDE).

Almost everything is working and we were able to get this project working on multiple computers as well. What currently could be implemented is updating the wireparser to also look for a reverse magic number instead of just the normal magic number (read more in Theory of Operation section).

A lot of time in this project was spent trying to port wireshark to the BeagleBone, but using the alternative solution we found was a lot more productive. By using tcpdump on the BeagleBone and wireshark on the host computer our approach is optimal in terms of resource usage and performance.

Prerequisites
Hardware requirements:
 * Beagle Bone Black
 * Linux host computer running Ubuntu 12.04 LTS or later
 * USB cable
 * Ethernet Cable

Software requirements: If you do not have these, you can get them with these commands:
 * Wireshark
 * The g++ compiler
 * Make

host$ sudo apt-get install wireshark host$ sudo apt-get install g++ host$ sudo apt-get install make

Getting the sources:

Do a git clone on our repository to get all the sources you need and do an ls to see them:

host$ git clone git@github.com:manuelstephan/eLinuxProject.git wireShark host$ cd wireShark host$ ls confused.pcap Makefile   ooP.cpp        README.md  wireparser.cpp main.cpp      Makefile~  original.pcap  run.sh     wireparser.hpp

You should have a matching directory from above, if not, do a git pull

To build the binary of the wireparser you just have to type make. No additional configuration is required.

host$ make g++ -c wireparser.cpp g++ -c main.cpp g++ -o wireparser wireparser.o main.o Confiugration and Setup:

Now you need tcpdump so ssh to your beaglebone and check if tcpdump is installed: host$ ssh root@192.168.7.2 bealge$ which tcpdump /usr/sbin/tcpdump

Make sure tcpdump exists and is configured to the path: /usr/sbin/tcpdump

If it isn't installed, install it: beagle$ opkg install tcpdump It should automatically configured to the path: /usr/sbin/tcpdump

Now you need an ssh-id on the beaglebone so you can log onto it without typing a password. The script that sets up and runs program needs it to work. Otherwise the process of typing in a password interferes with it.

First do a ssh-keygen: host$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/bp/.ssh/id_rsa): wire Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in wire. Your public key has been saved in wire.pub. The key fingerprint is: 99:e4:9d:14:af:ec:e7:e7:39:9a:4d:e2:3c:31:16:ba bp@bp-HP-EliteBook-8530w The key's randomart image is: +--[ RSA 2048]+ |         .      | |           o     | |       . . .    | |       o * o.    | |       S =. .  | |         .. +    | |          .ooo. | |         E=.=o. | |           *=+. | +-+

You should get something similar to above. Now copy the key to the beaglebone: host$ ssh-copy-id root@192.168.7.2 Now try logging into the machine, with "ssh 'root@192.168.7.2'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.

From here just type exit

Now everything is prepared for the actual operation. See User Instructions in the next section to learn how to do a live capture on the beaglebone via the host and wireshark.

Here is a link to the github page from where the git clone operation above is running on: https://github.com/manuelstephan/eLinuxProject

User Instructions
Before you start, make sure the beaglebone is connected via USB to your host computer. After that, follow this one step to get everything running.

1) Run capture.sh (eth0 or usb0)
If you haven't already previously, make sure you run make in the eLinuxProject git directory host$ make g++ -c wireparser.cpp g++ -c main.cpp g++ -o wireparser wireparser.o main.o

Now run the capture.sh script: hoat$ ./capture.sh eth0 or host$ ./capture.sh usb0 Capturing from eth0 wireshark is installed on your system. mkfifo /tmp/myfifo0 was created .. mkfifo /tmp/myfifo1 was created .. Starting tcpdump ... Tcpdump running ... Starting wireshark ... Wireshark running ...  Starting wireparser ...  tcpdump: WARNING: eth0: no IPv4 address assigned tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

capture.sh takes in an interface parameter (eth0 or usb0) according to what part of the beagle bone you are watching

This runs the script that sets up and runs everything. After this script is ran, wireshark should open up:



Now connect to the beaglebone's ethernet port and wait for the packets to arrive. It should take a few seconds. Once they arrive, you should see something like this:



Now you can connect anything to either the usb0 or eth0 port of the beaglebone and monitor the traffic.

To exit and stop everything,just do a CTRL+C: host$ CTRL+C ^Ccleaning up ....

This will close and clean up everything so you should save the captures before doing CTRL+C

For more information check out this youtube video tutorial on Wireshark: http://www.youtube.com/watch?v=UFAA_7lpkTE

or visit http://www.wireshark.org/docs for more tutorials on Wireshark.

Highlights
The main highlight of the project is that we can monitor network traffic on the beaglebone.

Here is a youtube video demo of monitoring activity on port 3000 (cloud 9 IDE) of the beaglebone:

beaglebone network monitoring

In the youtube video we show what can be done with our project. Basically,we set up tcpdump on the beaglebone and wireshark on the host computer. We then monitor the traffic that is going through the ethernet interface of the beaglebone.Then we connect the beaglebone on port 3000 (Cloud 9 IDE) from a other computer. All the packets going back and fourth are displayed in by wireshark so we can see if somebody else is accessing the beaglebone via port 3000. As port 3000 is a big security hole on the beaglebone we think this video helps to make you aware of it.

Theory of Operation
Components:
 * Named pipes - These are basically FIFOs. Many processes can share data through the named pipe.


 * tcpdump - A powerful commandline packet analyzer. It is very efficient to use on embedded systems due to its efficiency. The beaglebone also comes with this already installed. It is possible to forward tcpdump traffic over ssh.


 * wireshark - A packet analysis tool that comes with a GUI. This is very resource-consuming so it is not ideal to use this on an embedded system. The captures from wireshark also take up a lot of space so its a good idea to be running wireshark on a more powerful system such as your host computer.

This format is supported by both wireshark and tcpdump. The Global Header has a magic number that you need to look for in order to parse the traffic. typedef struct pcap_hdr_s { guint32 magic_number;  /* magic number */ guint16 version_major; /* major version number */ guint16 version_minor; /* minor version number */ gint32 thiszone;       /* GMT to local correction */ guint32 sigfigs;       /* accuracy of timestamps */ guint32 snaplen;       /* max length of captured packets, in octets */ guint32 network;       /* data link type */ } pcap_hdr_t;
 * .pcap  - These are packet capture files. The following is the file format of .pcacp files (courtesy of wiki.wireshark.org):

The magic number ( 0xa1b2c3d4 (identical) or 0xd4c3b2a1 (swapped) ) is always located at the beginning at the global header.


 * wireparser - This is a c++ program that looks for the magic number and throws away everything before the magic number. After if finds the magic number, the rest of the data is passed through.

Operation workflow:

1) Check for existing FIFOs and delete them if they do exist - existing FIFOs may have junk information

2) Create 2 FIFOs in /tmp - myfifo0 and myfifo1

3) Start tcpdump in the background on the beaglebone with the parameters to use pcap format, listen to a specified interface (usb0 or eht0), and then pipe it to /tmp/myfifo0

4) Start wireshark in the background on the host with the parameters to start the capture immediately, capture the interface (/tmp/myfifo1)

5) Start the wireparser which will read from /tmp/myfifo0, filter it, and write it to /tmp/myfifo1 from which wireshark will read from

6) Any data through tcpdump should appear in the wireshark graphical interface

7) Once finished with capture, CTRL+C to stop everything (wireshark, wireparser, and tcpdump)

All these steps are done in the capture.sh script that was made. See the graphic below for a visualization of the how the programs interact:



The graphic above represents what occurs in the whole process and is explained as follows:

1) The packets captured by tcpdump on the beaglebone from the specified interfaced interface are forwarded over ssh to the 1st FIFO on the host computer

2) The wireparser reads from the 1st FIFO and looks for the magic number 0xa1b2c3d4

3) Everything before the magic number is filtered out and the rest of the data (including the magic number) is passed to the 2nd FIFO

4) The 2nd FIFO now contains only data in the .pcacp format from which wireshark will read from

5) Now wireshark has all the traffic data from the beaglebone and can now be analyzed using the GUI provided

Work Breakdown
Major Tasks:
 * Try to compile wireshark on the beaglebone - Manuel Stephan
 * Try to crosscompile wireshark via the host - Ben Paras
 * Consulted Patrick Vogelaar for wireshark usability - Manuel Stephan and Ben Paras
 * Formulate new method to monitor traffic on the beaglebone - Manuel Stephan and Ben Paras
 * Evaluate new method and determine what needs to be done for it to work - Manuel Stephan and Ben Paras
 * Figure out how to interface tcpdump and wireshark using named pipes - Ben Paras
 * Learn about .pcap format and how to parse it - Manuel Stephan
 * Write the wireparser to filter out the captures - Manuel Stephan
 * Test out the wiresparser by using gHex and whether or not it parsed correct and incorret .pcap formats. -Ben Paras
 * Clean up and separate wiresparser into components and create a Makefile for it - Ben Paras
 * Write capture.sh - Manuel Stephan
 * Test capture.sh - Ben Paras
 * Documentation 1 (Executive Summary, Theory of Operation, Future Work) - Manuel Stephan
 * Documentation 2 (Installation Instructions, User Instructions, Work Breakdown) - Ben Paras
 * Take a youtube demo video and upload - Manuel Stephan and Ben Paras
 * Documentation 3 (Highlights and Conclusions) - Manuel Stephan and Ben Paras

The timeline below shows the tasks and major milestones and when they were accomplished:

Future Work
Currently the parser just looks for the magic number (0xa1b2c3d4) in the pcap captures and not the reverse magic number (0xd4c3b2a1)
 * Include the reversed magic number (0xd4c3b2a1) in the parser

The parser keeps checking for the magic number even if it was already found. This results in additional cpu usage. It should be possible to change the parser and add a forward mode to it so it just forwards all data after the magic number was found. This could increase the speed of the parser significantly.
 * Increase the parsing speed

Currently we just used the parser to process the traffic created by loading a homepage. We did not monitor the traffic of a huge download yet.
 * Evaluate the parser if it is able to process a lot of data.


 * Excluding the ssh traffic in wireshark when monitoring the traffic on the beaglebone.

Conclusions
With our project, we made it possible to capture and analyze the network traffic on linux embedded devices using efficient tcpdump on the embedded device and capable wireshark with GUI on a host computer. The fact that we can monitor traffic on the beaglebone enables numerous issues arise with regards the the beaglebone security. Trying to figure out certain security measures on the beaglebone would be another follow up project that would prove useful to us all as the subject of network security can be expanded into embedded systems.

Special Thanks to:
Patrick Vogelaar, Graduate Student in Advanced Communications at Napier University in Edinburgh for giving us the idea to use named pipes and our current setup to solve this problem.