Difference between revisions of "ECE497 Project WireShark"

From eLinux.org
Jump to: navigation, search
(Installation Instructions)
m (Moved to ECE497Fall2013)
 
(35 intermediate revisions by 3 users not shown)
Line 1: Line 1:
[[Category:ECE497 |Project]]
+
[[Category:ECE497Fall2013 |Project]]
 
{{YoderHead}}
 
{{YoderHead}}
  
 
Team members: [[user:Parasby| Ben Paras]], [[User:Manuel | Manuel Stephan]]  
 
Team members: [[user:Parasby| Ben Paras]], [[User:Manuel | Manuel Stephan]]  
  
== Grading Template ==
+
== Executive Summary ==
I'm using the following template to grade. Each slot is 10 points.
+
 
0 = Missing, 5=OK, 10=Wow!
+
We want to monitor and analyze any network traffic on the BeagleBone. Initially we wanted to port ''wireshark'' on to the bone, but after much experimentation and research, we decided to implement a different approach. We are currently able to monitor traffic on ''usb0'' and ''eth0'' on the BeagleBone using ''tcpdump'' on the BeagleBone and ''wireshark'' on the host computer. As a demonstration, we are able to see if anyone is accessing the BeagleBone via port 3000 (''cloud9'' IDE).
 +
 
 +
Almost everything is working and we were able to get this project working on multiple computers as well. What currently could be implemented is updating the ''wireparser'' to also look for a reverse magic number instead of just the normal magic number (read more in Theory of Operation section).
 +
 
 +
A lot of time in this project was spent trying to port ''wireshark'' to the BeagleBone, but using the alternative solution we found was a lot more productive. By using tcpdump on the BeagleBone and ''wireshark'' on the host computer our approach is optimal in terms of resource usage and performance.
 +
 
 +
== Installation Instructions ==
 +
 
 +
=== Prerequisites ===
 +
'''''Hardware requirements:''''' 
 +
*Beagle Bone Black
 +
*Linux host computer running Ubuntu 12.04 LTS or later
 +
*USB cable
 +
*Ethernet Cable
  
<pre style="color:red">
+
'''''Software requirements:'''''
00 Executive Summary
+
* Wireshark
00 Installation Instructions
+
* The g++ compiler
00 User Instructions
+
* Make
00 Highlights
+
If you do not have these, you can get them with these commands:  
00 Theory of Operation
 
00 Work Breakdown
 
00 Future Work
 
00 Conclusions
 
00 Demo
 
00 Late
 
Comments: I'm looking forward to seeing this.
 
  
Score: 10/100
+
  host$ '''sudo apt-get install wireshark'''
</pre>
+
host$ '''sudo apt-get install g++'''
 +
host$ '''sudo apt-get install make'''
  
<span style="color:red">(Inline Comment)</span>
+
'''''Getting the sources:'''''
  
== Executive Summary ==
+
Do a '''git clone''' on our repository to get all the sources you need and do an '''ls''' to see them:
  
We want to try to port WireShark and see what we could get working on the BeagleBone.  
+
host$ '''git clone git@github.com:manuelstephan/eLinuxProject.git wireShark'''
 +
host$ '''cd wireShark'''
 +
host$ '''ls'''
 +
confused.pcap  Makefile  ooP.cpp        README.md  wireparser.cpp
 +
main.cpp      Makefile~  original.pcap  run.sh    wireparser.hpp
  
As it was a problem to get wireshark compiled on the beaglebone after some skype sessions with Patrick Vogelaar, Graduate student in Advanced Communications at Napier in Edinburgh we thought of the problem in a different way. Instead of porting ressource consuming wireshark to the beaglebone we use tcpdump on the bone to just monitor the traffic. The traffic is tehn piped through ssh to the host computer and then analyzed by wireshark. So we get use the full capability of wireshark on a host computer and use lean tcpdump on the beaglebone.
+
You should have a matching directory from above, if not, do a '''git pull'''
  
 +
To build the binary of the wireparser you just have to type '''make'''. No additional configuration is required. 
  
== Installation Instructions ==
+
host$ '''make'''
 +
g++ -c wireparser.cpp
 +
g++ -c main.cpp
 +
g++ -o wireparser wireparser.o main.o
 +
 +
'''''Confiugration and Setup:'''''
  
=== Prerequisites ===
+
Now you need '''tcpdump''' so ssh to your beaglebone and check if tcpdump is installed:
Hardware requirements:  
+
host$ '''ssh root@192.168.7.2'''
Beagle Bone Black
+
bealge$ '''which tcpdump'''
Linux host computer, we used Ubuntu 12.04 LTS
+
/usr/sbin/tcpdump
USB cable
 
Ethernet Cable
 
  
Software requirements:
+
Make sure '''tcpdump''' exists and is configured to the path: ''/usr/sbin/tcpdump''
Wireshark installed on your host computer
 
If you do not have wireshark get it with:  
 
  
{| style="color:green; background-color:CDCDCD;" cellpadding="10" cellspacing="0" border="1"
+
If it isn't installed, install it:  
|-
+
beagle$ '''opkg install tcpdump'''
|'''sudo apt-get install wireshark'''
+
It should automatically configured to the path: ''/usr/sbin/tcpdump''
|-
 
|}
 
  
The g++ compiler. It is a C++ compiler that is required for our wireparser that is written in C++.
+
Now you need an ssh-id on the beaglebone so you can log onto it without typing a password. The script that sets up and runs program needs it to work. Otherwise the process of typing in a password interferes with it.
If you do not have it, you can get it with:
 
  
{| style="color:green; background-color:CDCDCD;" cellpadding="10" cellspacing="0" border="1"
+
First do a '''ssh-keygen''':
|-
+
host$ '''ssh-keygen'''
|'''sudo apt-get install g++'''
+
Generating public/private rsa key pair.
|-
+
Enter file in which to save the key (/home/bp/.ssh/id_rsa): wire     
|}
+
Enter passphrase (empty for no passphrase):
 +
Enter same passphrase again:
 +
Your identification has been saved in wire.
 +
Your public key has been saved in wire.pub.
 +
The key fingerprint is:
 +
99:e4:9d:14:af:ec:e7:e7:39:9a:4d:e2:3c:31:16:ba bp@bp-HP-EliteBook-8530w
 +
The key's randomart image is:
 +
+--[ RSA 2048]----+
 +
|          .      |
 +
|          o    |
 +
|        . . .    |
 +
|      o * o.    |
 +
|        S =. .  |
 +
|        .. +   |
 +
|          .ooo.  |
 +
|          E=.=o. |
 +
|            *=+. |
 +
+-----------------+
  
Make is required. It creates the makefile that compiles and links the neccessary files to create a binary out of our source.  
+
You should get something similar to above. Now copy the key to the beaglebone:
If you do not have it, you can get it with:  
+
host$ '''ssh-copy-id root@192.168.7.2'''
 +
Now try logging into the machine, with "ssh 'root@192.168.7.2'", and check in:
 +
  ~/.ssh/authorized_keys
 +
to make sure we haven't added extra keys that you weren't expecting.
  
 +
From here just type '''exit'''
  
{| style="color:green; background-color:CDCDCD;" cellpadding="10" cellspacing="0" border="1"
+
Now everything is prepared for the actual operation. See User Instructions in the next section to learn how to do a live capture on the beaglebone via the host and wireshark.
|-
 
|'''sudo apt-get install make'''
 
|-
 
|}
 
  
Getting the sources:  
+
Here is a link to the github page from where the '''git clone''' operation above is running on:
 +
[https://github.com/manuelstephan/eLinuxProject https://github.com/manuelstephan/eLinuxProject]
  
do a git clone on our repository to get all the sources you need
+
== User Instructions ==
 +
Before you start, make sure the beaglebone is connected via USB to your host computer. After that,
 +
follow this one step to get everything running.
  
To build the binary of the wireparser you just have to type make. No additional configuration is required.   
+
====1) Run capture.sh (eth0 or usb0)====
 +
If you haven't already previously, make sure you run '''make''' in the eLinuxProject git directory
 +
host$ '''make'''
 +
g++ -c wireparser.cpp
 +
g++ -c main.cpp
 +
  g++ -o wireparser wireparser.o main.o
  
{| style="color:green; background-color:CDCDCD;" cellpadding="10" cellspacing="0" border="1"
+
Now run the capture.sh script:
|-
+
hoat$ '''./capture.sh eth0''' or host$ '''./capture.sh usb0'''  
|'''make'''
+
Capturing from eth0
|-
+
wireshark is installed on your system.
|}
+
mkfifo /tmp/myfifo0 was created ..
 +
mkfifo /tmp/myfifo1 was created ..
 +
Starting tcpdump ...
 +
Tcpdump running ...
 +
Starting wireshark ...
 +
Wireshark running ...
 +
Starting wireparser ...
 +
tcpdump: WARNING: eth0: no IPv4 address assigned
 +
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
  
If you do a ls on your directory you should have following files in there.
+
'''capture.sh''' takes in an interface parameter (eth0 or usb0) according to what part of the beagle bone you are watching
Now it is time to set up the beaglebone black for further ...
 
  
ssh to your beaglebone and check if tcpdump is installed
+
This runs the script that sets up and runs everything. After this script is ran, wireshark should open up:
{| style="color:green; background-color:CDCDCD;" cellpadding="10" cellspacing="0" border="1"
 
|-
 
|'''ssh root@192.168.7.2'''
 
|-
 
|}
 
  
if not install it
+
[[File:Wiresharkempty.png|framed|center|Wireshark upon opening.|100px]]
  
do this ssh identities ...  
+
Now connect to the beaglebone's ethernet port and wait for the packets to arrive. It should take a few seconds. Once they arrive, you should see something like this:
  
Now everything is prepared for the actual operation.  
+
[[File:WiresharkBeagle.png|framed|center|Wireshark once it sees packets.|100px]]
You can now type
 
{| style="color:green; background-color:CDCDCD;" cellpadding="10" cellspacing="0" border="1"
 
|-
 
|'''sudo ./run.sh to set everything up'''
 
|-
 
|}
 
  
The run script sets up everything for correct operation ...
+
Now you can connect anything to either the usb0 or eth0 port of the beaglebone and monitor the traffic.  
now continue with user instructions.
 
  
+
To exit and stop everything,just do a '''CTRL+C''':
* Include your [https://github.com/ github] path as a link like this to the read-only git site[https://github.com/MarkAYoder/gitLearn https://github.com/MarkAYoder/gitLearn].
+
  host$ '''CTRL+C'''
* Be sure your README.md is includes an up-to-date and clear description of your project so that someone who comes across you git repository can quickly learn what you did and how they can reproduce it.
+
^Ccleaning up ....
* Include a Makefile for you code.
 
* Include any additional packages installed via '''opkg'''.
 
* Include kernel mods.
 
* If there is extra hardware needed, include links to where it can be obtained.
 
  
== User Instructions ==
+
This will close and clean up everything so you should save the captures before doing '''CTRL+C'''
Now the graphical interface of wireshark should pop up and you sholuld see the traffic flowing through the network of the beagle. ....
 
  
 +
For more information check out this youtube video tutorial on Wireshark:
 +
http://www.youtube.com/watch?v=UFAA_7lpkTE
  
Once everything is installed, how do you use the program?  Give details here, so if you have a long user manual, link to it here.
+
or visit http://www.wireshark.org/docs for more tutorials on Wireshark.
  
 
== Highlights ==
 
== Highlights ==
  
Here is where you brag about what your project can do.
+
The main highlight of the project is that we can monitor network traffic on the beaglebone.
 +
 
 +
Here is a youtube video demo of monitoring activity on port 3000 (cloud 9 IDE) of the beaglebone:
 +
 
 +
[http://www.youtube.com/watch?v=H3Eu8Ujmm-A&feature=youtu.be beaglebone network monitoring]
  
Include a [http://www.youtube.com/ YouTube] demo.
+
In the youtube video we show what can be done with our project. Basically,we set up tcpdump on the beaglebone and ''wireshark'' on the host computer. We then monitor the traffic that is going through the ethernet interface of the beaglebone.Then we connect the beaglebone on port 3000 (Cloud 9 IDE) from a other computer. All the packets going back and fourth are displayed in by ''wireshark'' so we can see if somebody else is accessing the beaglebone via port 3000. As port 3000 is a big security hole on the beaglebone we think this video helps to make you aware of it.
  
 
== Theory of Operation ==
 
== Theory of Operation ==
 +
 +
'''''Components:'''''
 +
* ''[http://en.wikipedia.org/wiki/Named_pipe Named pipes]'' - These are basically [http://en.wikipedia.org/wiki/FIFO FIFO]s. Many processes can share data through the named pipe.
 +
 +
 +
* ''[http://www.tcpdump.org/ tcpdump]''  - A powerful commandline packet analyzer. It is very efficient to use on embedded systems due to its efficiency. The beaglebone also comes with this already installed. It is possible to forward tcpdump traffic over ssh.
 +
 +
 +
* ''[http://www.wireshark.org/ wireshark]'' - A packet analysis tool that comes with a GUI. This is very resource-consuming so it is not ideal to use this on an embedded system. The captures from wireshark also take up a lot of space so its a good idea to be running wireshark on a more powerful system such as your host computer.
  
  
[[File:SystemOverview.png|framed|center|Overview of the System.|100px]]
+
* ''[http://wiki.wireshark.org/Development/LibpcapFileFormat .pcap] '' - These are packet capture files. The following is the file format of .pcacp files (courtesy of wiki.wireshark.org):
 +
[[File:pcapFormat.png|framed|center|.pcacp file format.|100px]]
 +
This format is supported by both ''wireshark'' and ''tcpdump''. The Global Header has a magic number that you need to look for in order to parse the traffic.
 +
typedef struct pcap_hdr_s {
 +
        guint32 magic_number;  /* magic number */
 +
        guint16 version_major;  /* major version number */
 +
        guint16 version_minor;  /* minor version number */
 +
        gint32  thiszone;      /* GMT to local correction */
 +
        guint32 sigfigs;        /* accuracy of timestamps */
 +
        guint32 snaplen;        /* max length of captured packets, in octets */
 +
        guint32 network;        /* data link type */
 +
} pcap_hdr_t;
 +
 
 +
The magic number ( ''0xa1b2c3d4'' (identical) or ''0xd4c3b2a1'' (swapped) ) is always located at the beginning at the global header.
  
This part is currently under construction ... so the information provided is not jet finalized ...
 
  
The beaglebone black is attached to ethernet. Tcpdump is running on the beaglebone in a special mode and listens to eth0.
+
* ''wireparser'' - This is a c++ program that looks for the magic number and throws away everything before the magic number. After if finds the magic number, the rest of the data is passed through.  
The beaglebone is connected with a host via ssh over the usb interface. All data captured by tcpdump is forwarded over ssh to the host computer. The host computer provides 2 named pipes so called fifos. All the ssh traffic is piped to the first fifo. The wireparser reads out of the fifo and filters non pcap stuff out. Then the filtered packages are piper to fifo2. Wireshark is started in a special mode to read out of fifo 2 and provides a graphical interface for analysis of the packets.  
 
  
No matter that we are using very low ressource consuming tcpdump on the beaglebone we do have the capability for live captures and analysis of the networktraffic.
 
  
== Work Breakdown ==
+
'''''Operation workflow:'''''
  
Job to do:
+
'''1)''' Check for existing FIFOs and delete them if they do exist - existing FIFOs may have junk information
Get wireshark running on the beagelbone black.
 
  
 +
'''2)''' Create 2 FIFOs in ''/tmp''  - ''myfifo0'' and ''myfifo1''
  
Requirements Specification
+
'''3)''' Start ''tcpdump'' in the background on the beaglebone with the parameters to use pcap format,
 +
listen to a specified interface (usb0 or eht0), and then pipe it to ''/tmp/myfifo0''
  
The user shall be able to monitor tcp/ip traffic on the beaglebone black.
+
'''4)''' Start ''wireshark'' in the background on the host with the parameters to start the capture immediately, capture the interface (''/tmp/myfifo1'')
The user shall be able to use wiresharks large capabilities to filter and analyze datapackets.
 
  
The user should be able to use a graphical interface.
+
'''5)''' Start the wireparser which will read from ''/tmp/myfifo0'' , filter it, and write it to ''/tmp/myfifo1'' from which ''wireshark'' will read from
  
 +
'''6)''' Any data through ''tcpdump'' should appear in the ''wireshark'' graphical interface
  
Major tasks:
+
'''7)''' Once finished with capture, '''CTRL+C''' to stop everything (''wireshark'' , ''wireparser'', and ''tcpdump'')
Evaluation of the portability of wireshark to the beaglebone black.
 
  
Cross compile approach.
+
All these steps are done in the '''capture.sh''' script that was made. See the graphic below for a visualization of the how the programs interact:
  
Thinking of the problem in a different way. Evaluating if the traffic can be monitored in a other way.  
+
[[File:SystemOverview.png|framed|center|Overview of the System.|100px]]
  
Find out how to filter out ssh relikts.
+
The graphic above represents what occurs in the whole process and is explained as follows:
  
Writing the parser.
+
'''1)''' The packets captured by ''tcpdump'' on the beaglebone from the specified interfaced interface are forwarded over ssh to the 1st FIFO on the host computer
  
Testing the parser.
+
'''2)''' The ''wireparser'' reads from the 1st FIFO and looks for the magic number ''0xa1b2c3d4''
  
Find out how named pipes work.
+
'''3)''' Everything before the magic number is filtered out and the rest of the data (including the magic number) is passed to the 2nd FIFO
Putting it all together
 
Write a makefile to compile the sources.
 
  
 +
'''4)''' The 2nd FIFO now contains only data in the ''.pcacp'' format from which ''wireshark'' will read from
  
List the major tasks in your project and who did what.
+
'''5)''' Now ''wireshark'' has all the traffic data from the beaglebone and can now be analyzed using the GUI provided
  
Also list here what doesn't work yet and when you think it will be finished and who is finishing it.
+
== Work Breakdown ==
  
 +
'''''Major Tasks:'''''
 +
* Try to compile ''wireshark'' on the beaglebone - Manuel Stephan
 +
* Try to crosscompile ''wireshark'' via the host - Ben Paras
 +
* Consulted Patrick Vogelaar for ''wireshark'' usability - Manuel Stephan and Ben Paras
 +
* Formulate new method to monitor traffic on the beaglebone - Manuel Stephan and Ben Paras
 +
* Evaluate new method and determine what needs to be done for it to work - Manuel Stephan and Ben Paras
 +
* Figure out how to interface ''tcpdump'' and ''wireshark'' using ''named pipes'' - Ben Paras
 +
* Learn about ''.pcap'' format and how to parse it - Manuel Stephan
 +
* Write the ''wireparser'' to filter out the captures - Manuel Stephan
 +
* Test out the ''wiresparser'' by using gHex and whether or not it parsed correct and incorret .pcap formats. -Ben Paras
 +
* Clean up and separate ''wiresparser'' into components and create a Makefile for it - Ben Paras
 +
* Write '''capture.sh''' - Manuel Stephan
 +
* Test '''capture.sh''' - Ben Paras
 +
* Documentation 1 (Executive Summary, Theory of Operation, Future Work) - Manuel Stephan
 +
* Documentation 2 (Installation Instructions, User Instructions, Work Breakdown) - Ben Paras
 +
* Take a youtube demo video and upload - Manuel Stephan and Ben Paras
 +
* Documentation 3 (Highlights and Conclusions) - Manuel Stephan and Ben Paras
  
[[File:timeline.png|200px|framed|center|Timeline and major milestones of the project.]]
+
The timeline below shows the tasks and major milestones and when they were accomplished:
 +
[[File:timeline.png|200px|framed|center|Timeline showing tasks and major milestones of the project.]]
  
 
== Future Work ==
 
== Future Work ==
  
Suggest addition things that could be done with this project.
+
*Include the reversed magic number (''0xd4c3b2a1'') in the parser
 +
Currently the parser just looks for the magic number (''0xa1b2c3d4'') in the pcap captures and not the reverse magic number (''0xd4c3b2a1'')
  
== Conclusions ==
+
*Increase the parsing speed
 +
The parser keeps checking for the magic number even if it was already found. This results in additional cpu usage.
 +
It should be possible to change the parser and add a forward mode to it so it just forwards all data after the magic number was found. This could increase the speed of the parser significantly.
 +
 
 +
*Evaluate the parser if it is able to process a lot of data.
 +
Currently we just used the parser to process the traffic created by loading a homepage. We did not monitor the traffic of a huge download yet.
  
Give some concluding thoughts about the project. Suggest some future additions that could make it even more interesting.
+
*Excluding the ssh traffic in ''wireshark'' when monitoring the traffic on the beaglebone.
  
 +
== Conclusions ==
 +
With our project, we made it possible to capture and analyze the network traffic on linux embedded devices using efficient tcpdump on the embedded device and capable wireshark with GUI on a host computer. The fact that we can monitor traffic on the beaglebone enables numerous issues arise with regards the the beaglebone security. Trying to figure out certain security measures on the beaglebone would be another follow up project that would prove useful to us all as the subject of network security can be expanded into embedded systems.
  
 
== Special Thanks to: ==
 
== Special Thanks to: ==
  
B.Eng Patrick Vogelaar, Graduate Student in Advanced Communications at Napier University in Edinburgh for giving us the idea to use named pipes and our current setup to solve this problem.   
+
Patrick Vogelaar, Graduate Student in Advanced Communications at Napier University in Edinburgh for giving us the idea to use named pipes and our current setup to solve this problem.   
 
{{YoderFoot}}
 
{{YoderFoot}}

Latest revision as of 05:44, 14 October 2014

thumb‎ Embedded Linux Class by Mark A. Yoder


Team members: Ben Paras, Manuel Stephan

Executive Summary

We want to monitor and analyze any network traffic on the BeagleBone. Initially we wanted to port wireshark on to the bone, but after much experimentation and research, we decided to implement a different approach. We are currently able to monitor traffic on usb0 and eth0 on the BeagleBone using tcpdump on the BeagleBone and wireshark on the host computer. As a demonstration, we are able to see if anyone is accessing the BeagleBone via port 3000 (cloud9 IDE).

Almost everything is working and we were able to get this project working on multiple computers as well. What currently could be implemented is updating the wireparser to also look for a reverse magic number instead of just the normal magic number (read more in Theory of Operation section).

A lot of time in this project was spent trying to port wireshark to the BeagleBone, but using the alternative solution we found was a lot more productive. By using tcpdump on the BeagleBone and wireshark on the host computer our approach is optimal in terms of resource usage and performance.

Installation Instructions

Prerequisites

Hardware requirements:

  • Beagle Bone Black
  • Linux host computer running Ubuntu 12.04 LTS or later
  • USB cable
  • Ethernet Cable

Software requirements:

  • Wireshark
  • The g++ compiler
  • Make

If you do not have these, you can get them with these commands:

host$ sudo apt-get install wireshark
host$ sudo apt-get install g++
host$ sudo apt-get install make

Getting the sources:

Do a git clone on our repository to get all the sources you need and do an ls to see them:

host$ git clone git@github.com:manuelstephan/eLinuxProject.git wireShark
host$ cd wireShark
host$ ls
confused.pcap  Makefile   ooP.cpp        README.md  wireparser.cpp
main.cpp       Makefile~  original.pcap  run.sh     wireparser.hpp

You should have a matching directory from above, if not, do a git pull

To build the binary of the wireparser you just have to type make. No additional configuration is required.

host$ make
g++ -c wireparser.cpp
g++ -c main.cpp
g++ -o wireparser wireparser.o main.o

Confiugration and Setup:

Now you need tcpdump so ssh to your beaglebone and check if tcpdump is installed:

host$ ssh root@192.168.7.2
bealge$ which tcpdump 
/usr/sbin/tcpdump

Make sure tcpdump exists and is configured to the path: /usr/sbin/tcpdump

If it isn't installed, install it:

beagle$ opkg install tcpdump

It should automatically configured to the path: /usr/sbin/tcpdump

Now you need an ssh-id on the beaglebone so you can log onto it without typing a password. The script that sets up and runs program needs it to work. Otherwise the process of typing in a password interferes with it.

First do a ssh-keygen:

host$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/bp/.ssh/id_rsa): wire      
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in wire.
Your public key has been saved in wire.pub.
The key fingerprint is:
99:e4:9d:14:af:ec:e7:e7:39:9a:4d:e2:3c:31:16:ba bp@bp-HP-EliteBook-8530w
The key's randomart image is:
+--[ RSA 2048]----+
|          .      |
|           o     |
|        . . .    |
|       o * o.    |
|        S =. .   |
|         .. +    |
|          .ooo.  |
|          E=.=o. |
|            *=+. |
+-----------------+

You should get something similar to above. Now copy the key to the beaglebone:

host$ ssh-copy-id root@192.168.7.2
Now try logging into the machine, with "ssh 'root@192.168.7.2'", and check in:
 ~/.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.

From here just type exit

Now everything is prepared for the actual operation. See User Instructions in the next section to learn how to do a live capture on the beaglebone via the host and wireshark.

Here is a link to the github page from where the git clone operation above is running on: https://github.com/manuelstephan/eLinuxProject

User Instructions

Before you start, make sure the beaglebone is connected via USB to your host computer. After that, follow this one step to get everything running.

1) Run capture.sh (eth0 or usb0)

If you haven't already previously, make sure you run make in the eLinuxProject git directory

host$ make
g++ -c wireparser.cpp
g++ -c main.cpp
g++ -o wireparser wireparser.o main.o

Now run the capture.sh script:

hoat$ ./capture.sh eth0 or host$ ./capture.sh usb0 
Capturing from eth0
wireshark is installed on your system.
mkfifo /tmp/myfifo0 was created .. 
mkfifo /tmp/myfifo1 was created .. 
Starting tcpdump ...
Tcpdump running ...
Starting wireshark ... 
Wireshark running ... 
Starting wireparser ... 
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

capture.sh takes in an interface parameter (eth0 or usb0) according to what part of the beagle bone you are watching

This runs the script that sets up and runs everything. After this script is ran, wireshark should open up:

Wireshark upon opening.

Now connect to the beaglebone's ethernet port and wait for the packets to arrive. It should take a few seconds. Once they arrive, you should see something like this:

Wireshark once it sees packets.

Now you can connect anything to either the usb0 or eth0 port of the beaglebone and monitor the traffic.

To exit and stop everything,just do a CTRL+C:

host$ CTRL+C
^Ccleaning up ....

This will close and clean up everything so you should save the captures before doing CTRL+C

For more information check out this youtube video tutorial on Wireshark: http://www.youtube.com/watch?v=UFAA_7lpkTE

or visit http://www.wireshark.org/docs for more tutorials on Wireshark.

Highlights

The main highlight of the project is that we can monitor network traffic on the beaglebone.

Here is a youtube video demo of monitoring activity on port 3000 (cloud 9 IDE) of the beaglebone:

beaglebone network monitoring

In the youtube video we show what can be done with our project. Basically,we set up tcpdump on the beaglebone and wireshark on the host computer. We then monitor the traffic that is going through the ethernet interface of the beaglebone.Then we connect the beaglebone on port 3000 (Cloud 9 IDE) from a other computer. All the packets going back and fourth are displayed in by wireshark so we can see if somebody else is accessing the beaglebone via port 3000. As port 3000 is a big security hole on the beaglebone we think this video helps to make you aware of it.

Theory of Operation

Components:

  • Named pipes - These are basically FIFOs. Many processes can share data through the named pipe.


  • tcpdump - A powerful commandline packet analyzer. It is very efficient to use on embedded systems due to its efficiency. The beaglebone also comes with this already installed. It is possible to forward tcpdump traffic over ssh.


  • wireshark - A packet analysis tool that comes with a GUI. This is very resource-consuming so it is not ideal to use this on an embedded system. The captures from wireshark also take up a lot of space so its a good idea to be running wireshark on a more powerful system such as your host computer.


  • .pcap - These are packet capture files. The following is the file format of .pcacp files (courtesy of wiki.wireshark.org):
.pcacp file format.

This format is supported by both wireshark and tcpdump. The Global Header has a magic number that you need to look for in order to parse the traffic.

typedef struct pcap_hdr_s {
       guint32 magic_number;   /* magic number */
       guint16 version_major;  /* major version number */
       guint16 version_minor;  /* minor version number */
       gint32  thiszone;       /* GMT to local correction */
       guint32 sigfigs;        /* accuracy of timestamps */
       guint32 snaplen;        /* max length of captured packets, in octets */
       guint32 network;        /* data link type */
} pcap_hdr_t;

The magic number ( 0xa1b2c3d4 (identical) or 0xd4c3b2a1 (swapped) ) is always located at the beginning at the global header.


  • wireparser - This is a c++ program that looks for the magic number and throws away everything before the magic number. After if finds the magic number, the rest of the data is passed through.


Operation workflow:

1) Check for existing FIFOs and delete them if they do exist - existing FIFOs may have junk information

2) Create 2 FIFOs in /tmp - myfifo0 and myfifo1

3) Start tcpdump in the background on the beaglebone with the parameters to use pcap format, listen to a specified interface (usb0 or eht0), and then pipe it to /tmp/myfifo0

4) Start wireshark in the background on the host with the parameters to start the capture immediately, capture the interface (/tmp/myfifo1)

5) Start the wireparser which will read from /tmp/myfifo0 , filter it, and write it to /tmp/myfifo1 from which wireshark will read from

6) Any data through tcpdump should appear in the wireshark graphical interface

7) Once finished with capture, CTRL+C to stop everything (wireshark , wireparser, and tcpdump)

All these steps are done in the capture.sh script that was made. See the graphic below for a visualization of the how the programs interact:

Overview of the System.

The graphic above represents what occurs in the whole process and is explained as follows:

1) The packets captured by tcpdump on the beaglebone from the specified interfaced interface are forwarded over ssh to the 1st FIFO on the host computer

2) The wireparser reads from the 1st FIFO and looks for the magic number 0xa1b2c3d4

3) Everything before the magic number is filtered out and the rest of the data (including the magic number) is passed to the 2nd FIFO

4) The 2nd FIFO now contains only data in the .pcacp format from which wireshark will read from

5) Now wireshark has all the traffic data from the beaglebone and can now be analyzed using the GUI provided

Work Breakdown

Major Tasks:

  • Try to compile wireshark on the beaglebone - Manuel Stephan
  • Try to crosscompile wireshark via the host - Ben Paras
  • Consulted Patrick Vogelaar for wireshark usability - Manuel Stephan and Ben Paras
  • Formulate new method to monitor traffic on the beaglebone - Manuel Stephan and Ben Paras
  • Evaluate new method and determine what needs to be done for it to work - Manuel Stephan and Ben Paras
  • Figure out how to interface tcpdump and wireshark using named pipes - Ben Paras
  • Learn about .pcap format and how to parse it - Manuel Stephan
  • Write the wireparser to filter out the captures - Manuel Stephan
  • Test out the wiresparser by using gHex and whether or not it parsed correct and incorret .pcap formats. -Ben Paras
  • Clean up and separate wiresparser into components and create a Makefile for it - Ben Paras
  • Write capture.sh - Manuel Stephan
  • Test capture.sh - Ben Paras
  • Documentation 1 (Executive Summary, Theory of Operation, Future Work) - Manuel Stephan
  • Documentation 2 (Installation Instructions, User Instructions, Work Breakdown) - Ben Paras
  • Take a youtube demo video and upload - Manuel Stephan and Ben Paras
  • Documentation 3 (Highlights and Conclusions) - Manuel Stephan and Ben Paras

The timeline below shows the tasks and major milestones and when they were accomplished:

Timeline showing tasks and major milestones of the project.

Future Work

  • Include the reversed magic number (0xd4c3b2a1) in the parser

Currently the parser just looks for the magic number (0xa1b2c3d4) in the pcap captures and not the reverse magic number (0xd4c3b2a1)

  • Increase the parsing speed

The parser keeps checking for the magic number even if it was already found. This results in additional cpu usage. It should be possible to change the parser and add a forward mode to it so it just forwards all data after the magic number was found. This could increase the speed of the parser significantly.

  • Evaluate the parser if it is able to process a lot of data.

Currently we just used the parser to process the traffic created by loading a homepage. We did not monitor the traffic of a huge download yet.

  • Excluding the ssh traffic in wireshark when monitoring the traffic on the beaglebone.

Conclusions

With our project, we made it possible to capture and analyze the network traffic on linux embedded devices using efficient tcpdump on the embedded device and capable wireshark with GUI on a host computer. The fact that we can monitor traffic on the beaglebone enables numerous issues arise with regards the the beaglebone security. Trying to figure out certain security measures on the beaglebone would be another follow up project that would prove useful to us all as the subject of network security can be expanded into embedded systems.

Special Thanks to:

Patrick Vogelaar, Graduate Student in Advanced Communications at Napier University in Edinburgh for giving us the idea to use named pipes and our current setup to solve this problem.



thumb‎ Embedded Linux Class by Mark A. Yoder