Difference between revisions of "ECE497 Project WireShark"

From eLinux.org
Jump to: navigation, search
(User Instructions)
m (Moved to ECE497Fall2013)
 
(26 intermediate revisions by 3 users not shown)
Line 1: Line 1:
[[Category:ECE497 |Project]]
+
[[Category:ECE497Fall2013 |Project]]
 
{{YoderHead}}
 
{{YoderHead}}
  
 
Team members: [[user:Parasby| Ben Paras]], [[User:Manuel | Manuel Stephan]]  
 
Team members: [[user:Parasby| Ben Paras]], [[User:Manuel | Manuel Stephan]]  
 
== Grading Template ==
 
I'm using the following template to grade.  Each slot is 10 points.
 
0 = Missing, 5=OK, 10=Wow!
 
 
<pre style="color:red">
 
00 Executive Summary
 
00 Installation Instructions
 
00 User Instructions
 
00 Highlights
 
00 Theory of Operation
 
00 Work Breakdown
 
00 Future Work
 
00 Conclusions
 
00 Demo
 
00 Late
 
Comments: I'm looking forward to seeing this.
 
 
Score:  10/100
 
</pre>
 
 
<span style="color:red">(Inline Comment)</span>
 
  
 
== Executive Summary ==
 
== Executive Summary ==
  
We want to try to port WireShark and see what we could get working on the BeagleBone.  
+
We want to monitor and analyze any network traffic on the BeagleBone. Initially we wanted to port ''wireshark'' on to the bone, but after much experimentation and research, we decided to implement a different approach. We are currently able to monitor traffic on ''usb0'' and ''eth0'' on the BeagleBone using ''tcpdump'' on the BeagleBone and ''wireshark'' on the host computer. As a demonstration, we are able to see if anyone is accessing the BeagleBone via port 3000 (''cloud9'' IDE).  
  
As it was a problem to get wireshark compiled on the beaglebone after some skype sessions with Patrick Vogelaar, Graduate student in Advanced Communications at Napier in Edinburgh we thought of the problem in a different way. Instead of porting ressource consuming wireshark to the beaglebone we use tcpdump on the bone to just monitor the traffic. The traffic is tehn piped through ssh to the host computer and then analyzed by wireshark. So we get use the full capability of wireshark on a host computer and use lean tcpdump on the beaglebone.  
+
Almost everything is working and we were able to get this project working on multiple computers as well. What currently could be implemented is updating the ''wireparser'' to also look for a reverse magic number instead of just the normal magic number (read more in Theory of Operation section).  
  
 +
A lot of time in this project was spent trying to port ''wireshark'' to the BeagleBone, but using the alternative solution we found was a lot more productive. By using tcpdump on the BeagleBone and ''wireshark'' on the host computer our approach is optimal in terms of resource usage and performance.
  
 
== Installation Instructions ==
 
== Installation Instructions ==
Line 48: Line 27:
 
If you do not have these, you can get them with these commands:  
 
If you do not have these, you can get them with these commands:  
  
  '''sudo apt-get install wireshark'''
+
  host$ '''sudo apt-get install wireshark'''
  '''sudo apt-get install g++'''
+
  host$ '''sudo apt-get install g++'''
  '''sudo apt-get install make'''
+
  host$ '''sudo apt-get install make'''
  
 
'''''Getting the sources:'''''  
 
'''''Getting the sources:'''''  
Line 56: Line 35:
 
Do a '''git clone''' on our repository to get all the sources you need and do an '''ls''' to see them:
 
Do a '''git clone''' on our repository to get all the sources you need and do an '''ls''' to see them:
  
  '''git clone git@github.com:manuelstephan/eLinuxProject.git'''  
+
  host$ '''git clone git@github.com:manuelstephan/eLinuxProject.git wireShark'''
  '''ls'''
+
  host$ '''cd wireShark'''
 +
host$ '''ls'''
 
  confused.pcap  Makefile  ooP.cpp        README.md  wireparser.cpp
 
  confused.pcap  Makefile  ooP.cpp        README.md  wireparser.cpp
 
  main.cpp      Makefile~  original.pcap  run.sh    wireparser.hpp
 
  main.cpp      Makefile~  original.pcap  run.sh    wireparser.hpp
Line 65: Line 45:
 
To build the binary of the wireparser you just have to type '''make'''. No additional configuration is required.   
 
To build the binary of the wireparser you just have to type '''make'''. No additional configuration is required.   
  
  '''make'''
+
  host$ '''make'''
 
  g++ -c wireparser.cpp
 
  g++ -c wireparser.cpp
 
  g++ -c main.cpp
 
  g++ -c main.cpp
Line 73: Line 53:
  
 
Now you need '''tcpdump''' so ssh to your beaglebone and check if tcpdump is installed:
 
Now you need '''tcpdump''' so ssh to your beaglebone and check if tcpdump is installed:
  '''ssh root@192.168.7.2'''
+
  host$ '''ssh root@192.168.7.2'''
  '''which tcpdump'''  
+
  bealge$ '''which tcpdump'''  
 
  /usr/sbin/tcpdump
 
  /usr/sbin/tcpdump
  
Line 80: Line 60:
  
 
If it isn't installed, install it:  
 
If it isn't installed, install it:  
  '''opkg install tcpdump'''
+
  beagle$ '''opkg install tcpdump'''
 
It should automatically configured to the path: ''/usr/sbin/tcpdump''
 
It should automatically configured to the path: ''/usr/sbin/tcpdump''
  
Line 86: Line 66:
  
 
First do a '''ssh-keygen''':
 
First do a '''ssh-keygen''':
  '''ssh-keygen'''
+
  host$ '''ssh-keygen'''
 
  Generating public/private rsa key pair.
 
  Generating public/private rsa key pair.
 
  Enter file in which to save the key (/home/bp/.ssh/id_rsa): wire       
 
  Enter file in which to save the key (/home/bp/.ssh/id_rsa): wire       
Line 109: Line 89:
  
 
You should get something similar to above. Now copy the key to the beaglebone:
 
You should get something similar to above. Now copy the key to the beaglebone:
  '''ssh-copy-id root@192.168.7.2'''
+
  host$ '''ssh-copy-id root@192.168.7.2'''
 
  Now try logging into the machine, with "ssh 'root@192.168.7.2'", and check in:
 
  Now try logging into the machine, with "ssh 'root@192.168.7.2'", and check in:
 
   ~/.ssh/authorized_keys
 
   ~/.ssh/authorized_keys
Line 122: Line 102:
  
 
== User Instructions ==
 
== User Instructions ==
Before you start, make sure the beaglebone is connected via USB to your host computer.  
+
Before you start, make sure the beaglebone is connected via USB to your host computer. After that,
 +
follow this one step to get everything running.  
  
 
====1) Run capture.sh (eth0 or usb0)====
 
====1) Run capture.sh (eth0 or usb0)====
 
If you haven't already previously, make sure you run '''make''' in the eLinuxProject git directory
 
If you haven't already previously, make sure you run '''make''' in the eLinuxProject git directory
  '''make'''
+
  host$ '''make'''
 
  g++ -c wireparser.cpp
 
  g++ -c wireparser.cpp
 
  g++ -c main.cpp
 
  g++ -c main.cpp
Line 132: Line 113:
  
 
Now run the capture.sh script:
 
Now run the capture.sh script:
  '''./capture.sh eth0''' or '''./capture.sh usb0'''  
+
  hoat$ '''./capture.sh eth0''' or host$ '''./capture.sh usb0'''  
 
  Capturing from eth0
 
  Capturing from eth0
 
  wireshark is installed on your system.
 
  wireshark is installed on your system.
Line 151: Line 132:
 
[[File:Wiresharkempty.png|framed|center|Wireshark upon opening.|100px]]
 
[[File:Wiresharkempty.png|framed|center|Wireshark upon opening.|100px]]
  
Now connect to the beaglebone's ethernet port and wait for the packets to arrive. Once they arrive, you should see something like this:
+
Now connect to the beaglebone's ethernet port and wait for the packets to arrive. It should take a few seconds. Once they arrive, you should see something like this:
  
 
[[File:WiresharkBeagle.png|framed|center|Wireshark once it sees packets.|100px]]
 
[[File:WiresharkBeagle.png|framed|center|Wireshark once it sees packets.|100px]]
  
 +
Now you can connect anything to either the usb0 or eth0 port of the beaglebone and monitor the traffic.
  
 +
To exit and stop everything,just do a '''CTRL+C''':
 +
host$ '''CTRL+C'''
 +
^Ccleaning up ....
  
Once everything is installed, how do you use the program? Give details here, so if you have a long user manual, link to it here.
+
This will close and clean up everything so you should save the captures before doing '''CTRL+C'''
 +
 
 +
For more information check out this youtube video tutorial on Wireshark:
 +
http://www.youtube.com/watch?v=UFAA_7lpkTE
 +
 
 +
or visit http://www.wireshark.org/docs for more tutorials on Wireshark.
  
 
== Highlights ==
 
== Highlights ==
  
Here is where you brag about what your project can do.
+
The main highlight of the project is that we can monitor network traffic on the beaglebone.
  
Include a [http://www.youtube.com/ YouTube] demo.
+
Here is a youtube video demo of monitoring activity on port 3000 (cloud 9 IDE) of the beaglebone:
 +
 
 +
[http://www.youtube.com/watch?v=H3Eu8Ujmm-A&feature=youtu.be beaglebone network monitoring]
 +
 
 +
In the youtube video we show what can be done with our project. Basically,we set up tcpdump on the beaglebone and ''wireshark'' on the host computer. We then monitor the traffic that is going through the ethernet interface of the beaglebone.Then we connect the beaglebone on port 3000 (Cloud 9 IDE) from a other computer. All the packets going back and fourth are displayed in by ''wireshark'' so we can see if somebody else is accessing the beaglebone via port 3000. As port 3000 is a big security hole on the beaglebone we think this video helps to make you aware of it.
  
 
== Theory of Operation ==
 
== Theory of Operation ==
  
 +
'''''Components:'''''
 +
* ''[http://en.wikipedia.org/wiki/Named_pipe Named pipes]'' - These are basically [http://en.wikipedia.org/wiki/FIFO FIFO]s. Many processes can share data through the named pipe.
  
[[File:SystemOverview.png|framed|center|Overview of the System.|100px]]
 
  
This part is currently under construction ... so the information provided is not jet finalized ...  
+
* ''[http://www.tcpdump.org/ tcpdump]''  - A powerful commandline packet analyzer. It is very efficient to use on embedded systems due to its efficiency. The beaglebone also comes with this already installed. It is possible to forward tcpdump traffic over ssh.
 +
 
 +
 
 +
* ''[http://www.wireshark.org/ wireshark]'' - A packet analysis tool that comes with a GUI. This is very resource-consuming so it is not ideal to use this on an embedded system. The captures from wireshark also take up a lot of space so its a good idea to be running wireshark on a more powerful system such as your host computer.
 +
 
 +
 
 +
* ''[http://wiki.wireshark.org/Development/LibpcapFileFormat .pcap] '' - These are packet capture files. The following is the file format of .pcacp files (courtesy of wiki.wireshark.org):
 +
[[File:pcapFormat.png|framed|center|.pcacp file format.|100px]]
 +
This format is supported by both ''wireshark'' and ''tcpdump''. The Global Header has a magic number that you need to look for in order to parse the traffic.  
 +
typedef struct pcap_hdr_s {
 +
        guint32 magic_number;  /* magic number */
 +
        guint16 version_major;  /* major version number */
 +
        guint16 version_minor;  /* minor version number */
 +
        gint32  thiszone;      /* GMT to local correction */
 +
        guint32 sigfigs;        /* accuracy of timestamps */
 +
        guint32 snaplen;        /* max length of captured packets, in octets */
 +
        guint32 network;        /* data link type */
 +
} pcap_hdr_t;
 +
 
 +
The magic number ( ''0xa1b2c3d4'' (identical) or ''0xd4c3b2a1'' (swapped) ) is always located at the beginning at the global header.  
 +
 
  
The beaglebone black is attached to ethernet. Tcpdump is running on the beaglebone in a special mode and listens to eth0.
+
* ''wireparser'' - This is a c++ program that looks for the magic number and throws away everything before the magic number. After if finds the magic number, the rest of the data is passed through.  
The beaglebone is connected with a host via ssh over the usb interface. All data captured by tcpdump is forwarded over ssh to the host computer. The host computer provides 2 named pipes so called fifos. All the ssh traffic is piped to the first fifo. The wireparser reads out of the fifo and filters non pcap stuff out. Then the filtered packages are piper to fifo2. Wireshark is started in a special mode to read out of fifo 2 and provides a graphical interface for analysis of the packets.  
 
  
No matter that we are using very low ressource consuming tcpdump on the beaglebone we do have the capability for live captures and analysis of the networktraffic.
 
  
== Work Breakdown ==
+
'''''Operation workflow:'''''
  
Job to do:
+
'''1)''' Check for existing FIFOs and delete them if they do exist - existing FIFOs may have junk information
Get wireshark running on the beagelbone black.
 
  
 +
'''2)''' Create 2 FIFOs in ''/tmp''  - ''myfifo0'' and ''myfifo1''
  
Requirements Specification
+
'''3)''' Start ''tcpdump'' in the background on the beaglebone with the parameters to use pcap format,
 +
listen to a specified interface (usb0 or eht0), and then pipe it to ''/tmp/myfifo0''
  
The user shall be able to monitor tcp/ip traffic on the beaglebone black.
+
'''4)''' Start ''wireshark'' in the background on the host with the parameters to start the capture immediately, capture the interface (''/tmp/myfifo1'')
The user shall be able to use wiresharks large capabilities to filter and analyze datapackets.
 
  
The user should be able to use a graphical interface.
+
'''5)''' Start the wireparser which will read from ''/tmp/myfifo0'' , filter it, and write it to ''/tmp/myfifo1'' from which ''wireshark'' will read from
  
 +
'''6)''' Any data through ''tcpdump'' should appear in the ''wireshark'' graphical interface
  
Major tasks:
+
'''7)''' Once finished with capture, '''CTRL+C''' to stop everything (''wireshark'' , ''wireparser'', and ''tcpdump'')
Evaluation of the portability of wireshark to the beaglebone black.
 
  
Cross compile approach.
+
All these steps are done in the '''capture.sh''' script that was made. See the graphic below for a visualization of the how the programs interact:
  
Thinking of the problem in a different way. Evaluating if the traffic can be monitored in a other way.  
+
[[File:SystemOverview.png|framed|center|Overview of the System.|100px]]
  
Find out how to filter out ssh relikts.
+
The graphic above represents what occurs in the whole process and is explained as follows:
  
Writing the parser.
+
'''1)''' The packets captured by ''tcpdump'' on the beaglebone from the specified interfaced interface are forwarded over ssh to the 1st FIFO on the host computer
  
Testing the parser.
+
'''2)''' The ''wireparser'' reads from the 1st FIFO and looks for the magic number ''0xa1b2c3d4''
  
Find out how named pipes work.
+
'''3)''' Everything before the magic number is filtered out and the rest of the data (including the magic number) is passed to the 2nd FIFO
Putting it all together
 
Write a makefile to compile the sources.
 
  
 +
'''4)''' The 2nd FIFO now contains only data in the ''.pcacp'' format from which ''wireshark'' will read from
  
List the major tasks in your project and who did what.
+
'''5)''' Now ''wireshark'' has all the traffic data from the beaglebone and can now be analyzed using the GUI provided
  
Also list here what doesn't work yet and when you think it will be finished and who is finishing it.
+
== Work Breakdown ==
  
 +
'''''Major Tasks:'''''
 +
* Try to compile ''wireshark'' on the beaglebone - Manuel Stephan
 +
* Try to crosscompile ''wireshark'' via the host - Ben Paras
 +
* Consulted Patrick Vogelaar for ''wireshark'' usability - Manuel Stephan and Ben Paras
 +
* Formulate new method to monitor traffic on the beaglebone - Manuel Stephan and Ben Paras
 +
* Evaluate new method and determine what needs to be done for it to work - Manuel Stephan and Ben Paras
 +
* Figure out how to interface ''tcpdump'' and ''wireshark'' using ''named pipes'' - Ben Paras
 +
* Learn about ''.pcap'' format and how to parse it - Manuel Stephan
 +
* Write the ''wireparser'' to filter out the captures - Manuel Stephan
 +
* Test out the ''wiresparser'' by using gHex and whether or not it parsed correct and incorret .pcap formats. -Ben Paras
 +
* Clean up and separate ''wiresparser'' into components and create a Makefile for it - Ben Paras
 +
* Write '''capture.sh''' - Manuel Stephan
 +
* Test '''capture.sh''' - Ben Paras
 +
* Documentation 1 (Executive Summary, Theory of Operation, Future Work) - Manuel Stephan
 +
* Documentation 2 (Installation Instructions, User Instructions, Work Breakdown) - Ben Paras
 +
* Take a youtube demo video and upload - Manuel Stephan and Ben Paras
 +
* Documentation 3 (Highlights and Conclusions) - Manuel Stephan and Ben Paras
  
[[File:timeline.png|200px|framed|center|Timeline and major milestones of the project.]]
+
The timeline below shows the tasks and major milestones and when they were accomplished:
 +
[[File:timeline.png|200px|framed|center|Timeline showing tasks and major milestones of the project.]]
  
 
== Future Work ==
 
== Future Work ==
  
Suggest addition things that could be done with this project.
+
*Include the reversed magic number (''0xd4c3b2a1'') in the parser
 +
Currently the parser just looks for the magic number (''0xa1b2c3d4'') in the pcap captures and not the reverse magic number (''0xd4c3b2a1'')
  
== Conclusions ==
+
*Increase the parsing speed
 +
The parser keeps checking for the magic number even if it was already found. This results in additional cpu usage.
 +
It should be possible to change the parser and add a forward mode to it so it just forwards all data after the magic number was found. This could increase the speed of the parser significantly.
 +
 
 +
*Evaluate the parser if it is able to process a lot of data.
 +
Currently we just used the parser to process the traffic created by loading a homepage. We did not monitor the traffic of a huge download yet.
  
Give some concluding thoughts about the project. Suggest some future additions that could make it even more interesting.
+
*Excluding the ssh traffic in ''wireshark'' when monitoring the traffic on the beaglebone.
  
 +
== Conclusions ==
 +
With our project, we made it possible to capture and analyze the network traffic on linux embedded devices using efficient tcpdump on the embedded device and capable wireshark with GUI on a host computer. The fact that we can monitor traffic on the beaglebone enables numerous issues arise with regards the the beaglebone security. Trying to figure out certain security measures on the beaglebone would be another follow up project that would prove useful to us all as the subject of network security can be expanded into embedded systems.
  
 
== Special Thanks to: ==
 
== Special Thanks to: ==
  
B.Eng Patrick Vogelaar, Graduate Student in Advanced Communications at Napier University in Edinburgh for giving us the idea to use named pipes and our current setup to solve this problem.   
+
Patrick Vogelaar, Graduate Student in Advanced Communications at Napier University in Edinburgh for giving us the idea to use named pipes and our current setup to solve this problem.   
 
{{YoderFoot}}
 
{{YoderFoot}}

Latest revision as of 05:44, 14 October 2014

thumb‎ Embedded Linux Class by Mark A. Yoder


Team members: Ben Paras, Manuel Stephan

Executive Summary

We want to monitor and analyze any network traffic on the BeagleBone. Initially we wanted to port wireshark on to the bone, but after much experimentation and research, we decided to implement a different approach. We are currently able to monitor traffic on usb0 and eth0 on the BeagleBone using tcpdump on the BeagleBone and wireshark on the host computer. As a demonstration, we are able to see if anyone is accessing the BeagleBone via port 3000 (cloud9 IDE).

Almost everything is working and we were able to get this project working on multiple computers as well. What currently could be implemented is updating the wireparser to also look for a reverse magic number instead of just the normal magic number (read more in Theory of Operation section).

A lot of time in this project was spent trying to port wireshark to the BeagleBone, but using the alternative solution we found was a lot more productive. By using tcpdump on the BeagleBone and wireshark on the host computer our approach is optimal in terms of resource usage and performance.

Installation Instructions

Prerequisites

Hardware requirements:

  • Beagle Bone Black
  • Linux host computer running Ubuntu 12.04 LTS or later
  • USB cable
  • Ethernet Cable

Software requirements:

  • Wireshark
  • The g++ compiler
  • Make

If you do not have these, you can get them with these commands:

host$ sudo apt-get install wireshark
host$ sudo apt-get install g++
host$ sudo apt-get install make

Getting the sources:

Do a git clone on our repository to get all the sources you need and do an ls to see them:

host$ git clone git@github.com:manuelstephan/eLinuxProject.git wireShark
host$ cd wireShark
host$ ls
confused.pcap  Makefile   ooP.cpp        README.md  wireparser.cpp
main.cpp       Makefile~  original.pcap  run.sh     wireparser.hpp

You should have a matching directory from above, if not, do a git pull

To build the binary of the wireparser you just have to type make. No additional configuration is required.

host$ make
g++ -c wireparser.cpp
g++ -c main.cpp
g++ -o wireparser wireparser.o main.o

Confiugration and Setup:

Now you need tcpdump so ssh to your beaglebone and check if tcpdump is installed:

host$ ssh root@192.168.7.2
bealge$ which tcpdump 
/usr/sbin/tcpdump

Make sure tcpdump exists and is configured to the path: /usr/sbin/tcpdump

If it isn't installed, install it:

beagle$ opkg install tcpdump

It should automatically configured to the path: /usr/sbin/tcpdump

Now you need an ssh-id on the beaglebone so you can log onto it without typing a password. The script that sets up and runs program needs it to work. Otherwise the process of typing in a password interferes with it.

First do a ssh-keygen:

host$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/bp/.ssh/id_rsa): wire      
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in wire.
Your public key has been saved in wire.pub.
The key fingerprint is:
99:e4:9d:14:af:ec:e7:e7:39:9a:4d:e2:3c:31:16:ba bp@bp-HP-EliteBook-8530w
The key's randomart image is:
+--[ RSA 2048]----+
|          .      |
|           o     |
|        . . .    |
|       o * o.    |
|        S =. .   |
|         .. +    |
|          .ooo.  |
|          E=.=o. |
|            *=+. |
+-----------------+

You should get something similar to above. Now copy the key to the beaglebone:

host$ ssh-copy-id root@192.168.7.2
Now try logging into the machine, with "ssh 'root@192.168.7.2'", and check in:
 ~/.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.

From here just type exit

Now everything is prepared for the actual operation. See User Instructions in the next section to learn how to do a live capture on the beaglebone via the host and wireshark.

Here is a link to the github page from where the git clone operation above is running on: https://github.com/manuelstephan/eLinuxProject

User Instructions

Before you start, make sure the beaglebone is connected via USB to your host computer. After that, follow this one step to get everything running.

1) Run capture.sh (eth0 or usb0)

If you haven't already previously, make sure you run make in the eLinuxProject git directory

host$ make
g++ -c wireparser.cpp
g++ -c main.cpp
g++ -o wireparser wireparser.o main.o

Now run the capture.sh script:

hoat$ ./capture.sh eth0 or host$ ./capture.sh usb0 
Capturing from eth0
wireshark is installed on your system.
mkfifo /tmp/myfifo0 was created .. 
mkfifo /tmp/myfifo1 was created .. 
Starting tcpdump ...
Tcpdump running ...
Starting wireshark ... 
Wireshark running ... 
Starting wireparser ... 
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

capture.sh takes in an interface parameter (eth0 or usb0) according to what part of the beagle bone you are watching

This runs the script that sets up and runs everything. After this script is ran, wireshark should open up:

Wireshark upon opening.

Now connect to the beaglebone's ethernet port and wait for the packets to arrive. It should take a few seconds. Once they arrive, you should see something like this:

Wireshark once it sees packets.

Now you can connect anything to either the usb0 or eth0 port of the beaglebone and monitor the traffic.

To exit and stop everything,just do a CTRL+C:

host$ CTRL+C
^Ccleaning up ....

This will close and clean up everything so you should save the captures before doing CTRL+C

For more information check out this youtube video tutorial on Wireshark: http://www.youtube.com/watch?v=UFAA_7lpkTE

or visit http://www.wireshark.org/docs for more tutorials on Wireshark.

Highlights

The main highlight of the project is that we can monitor network traffic on the beaglebone.

Here is a youtube video demo of monitoring activity on port 3000 (cloud 9 IDE) of the beaglebone:

beaglebone network monitoring

In the youtube video we show what can be done with our project. Basically,we set up tcpdump on the beaglebone and wireshark on the host computer. We then monitor the traffic that is going through the ethernet interface of the beaglebone.Then we connect the beaglebone on port 3000 (Cloud 9 IDE) from a other computer. All the packets going back and fourth are displayed in by wireshark so we can see if somebody else is accessing the beaglebone via port 3000. As port 3000 is a big security hole on the beaglebone we think this video helps to make you aware of it.

Theory of Operation

Components:

  • Named pipes - These are basically FIFOs. Many processes can share data through the named pipe.


  • tcpdump - A powerful commandline packet analyzer. It is very efficient to use on embedded systems due to its efficiency. The beaglebone also comes with this already installed. It is possible to forward tcpdump traffic over ssh.


  • wireshark - A packet analysis tool that comes with a GUI. This is very resource-consuming so it is not ideal to use this on an embedded system. The captures from wireshark also take up a lot of space so its a good idea to be running wireshark on a more powerful system such as your host computer.


  • .pcap - These are packet capture files. The following is the file format of .pcacp files (courtesy of wiki.wireshark.org):
.pcacp file format.

This format is supported by both wireshark and tcpdump. The Global Header has a magic number that you need to look for in order to parse the traffic.

typedef struct pcap_hdr_s {
       guint32 magic_number;   /* magic number */
       guint16 version_major;  /* major version number */
       guint16 version_minor;  /* minor version number */
       gint32  thiszone;       /* GMT to local correction */
       guint32 sigfigs;        /* accuracy of timestamps */
       guint32 snaplen;        /* max length of captured packets, in octets */
       guint32 network;        /* data link type */
} pcap_hdr_t;

The magic number ( 0xa1b2c3d4 (identical) or 0xd4c3b2a1 (swapped) ) is always located at the beginning at the global header.


  • wireparser - This is a c++ program that looks for the magic number and throws away everything before the magic number. After if finds the magic number, the rest of the data is passed through.


Operation workflow:

1) Check for existing FIFOs and delete them if they do exist - existing FIFOs may have junk information

2) Create 2 FIFOs in /tmp - myfifo0 and myfifo1

3) Start tcpdump in the background on the beaglebone with the parameters to use pcap format, listen to a specified interface (usb0 or eht0), and then pipe it to /tmp/myfifo0

4) Start wireshark in the background on the host with the parameters to start the capture immediately, capture the interface (/tmp/myfifo1)

5) Start the wireparser which will read from /tmp/myfifo0 , filter it, and write it to /tmp/myfifo1 from which wireshark will read from

6) Any data through tcpdump should appear in the wireshark graphical interface

7) Once finished with capture, CTRL+C to stop everything (wireshark , wireparser, and tcpdump)

All these steps are done in the capture.sh script that was made. See the graphic below for a visualization of the how the programs interact:

Overview of the System.

The graphic above represents what occurs in the whole process and is explained as follows:

1) The packets captured by tcpdump on the beaglebone from the specified interfaced interface are forwarded over ssh to the 1st FIFO on the host computer

2) The wireparser reads from the 1st FIFO and looks for the magic number 0xa1b2c3d4

3) Everything before the magic number is filtered out and the rest of the data (including the magic number) is passed to the 2nd FIFO

4) The 2nd FIFO now contains only data in the .pcacp format from which wireshark will read from

5) Now wireshark has all the traffic data from the beaglebone and can now be analyzed using the GUI provided

Work Breakdown

Major Tasks:

  • Try to compile wireshark on the beaglebone - Manuel Stephan
  • Try to crosscompile wireshark via the host - Ben Paras
  • Consulted Patrick Vogelaar for wireshark usability - Manuel Stephan and Ben Paras
  • Formulate new method to monitor traffic on the beaglebone - Manuel Stephan and Ben Paras
  • Evaluate new method and determine what needs to be done for it to work - Manuel Stephan and Ben Paras
  • Figure out how to interface tcpdump and wireshark using named pipes - Ben Paras
  • Learn about .pcap format and how to parse it - Manuel Stephan
  • Write the wireparser to filter out the captures - Manuel Stephan
  • Test out the wiresparser by using gHex and whether or not it parsed correct and incorret .pcap formats. -Ben Paras
  • Clean up and separate wiresparser into components and create a Makefile for it - Ben Paras
  • Write capture.sh - Manuel Stephan
  • Test capture.sh - Ben Paras
  • Documentation 1 (Executive Summary, Theory of Operation, Future Work) - Manuel Stephan
  • Documentation 2 (Installation Instructions, User Instructions, Work Breakdown) - Ben Paras
  • Take a youtube demo video and upload - Manuel Stephan and Ben Paras
  • Documentation 3 (Highlights and Conclusions) - Manuel Stephan and Ben Paras

The timeline below shows the tasks and major milestones and when they were accomplished:

Timeline showing tasks and major milestones of the project.

Future Work

  • Include the reversed magic number (0xd4c3b2a1) in the parser

Currently the parser just looks for the magic number (0xa1b2c3d4) in the pcap captures and not the reverse magic number (0xd4c3b2a1)

  • Increase the parsing speed

The parser keeps checking for the magic number even if it was already found. This results in additional cpu usage. It should be possible to change the parser and add a forward mode to it so it just forwards all data after the magic number was found. This could increase the speed of the parser significantly.

  • Evaluate the parser if it is able to process a lot of data.

Currently we just used the parser to process the traffic created by loading a homepage. We did not monitor the traffic of a huge download yet.

  • Excluding the ssh traffic in wireshark when monitoring the traffic on the beaglebone.

Conclusions

With our project, we made it possible to capture and analyze the network traffic on linux embedded devices using efficient tcpdump on the embedded device and capable wireshark with GUI on a host computer. The fact that we can monitor traffic on the beaglebone enables numerous issues arise with regards the the beaglebone security. Trying to figure out certain security measures on the beaglebone would be another follow up project that would prove useful to us all as the subject of network security can be expanded into embedded systems.

Special Thanks to:

Patrick Vogelaar, Graduate Student in Advanced Communications at Napier University in Edinburgh for giving us the idea to use named pipes and our current setup to solve this problem.



thumb‎ Embedded Linux Class by Mark A. Yoder