ECE497 Project WireShark

From eLinux.org
Revision as of 13:46, 6 November 2013 by Parasby (talk | contribs)
Jump to: navigation, search

thumb‎ Embedded Linux Class by Mark A. Yoder


Team members: Ben Paras, Manuel Stephan

Grading Template

I'm using the following template to grade. Each slot is 10 points. 0 = Missing, 5=OK, 10=Wow!

00 Executive Summary
00 Installation Instructions 
00 User Instructions
00 Highlights
00 Theory of Operation
00 Work Breakdown
00 Future Work
00 Conclusions
00 Demo
00 Late
Comments: I'm looking forward to seeing this.

Score:  10/100

(Inline Comment)

Executive Summary

We want to try to port WireShark and see what we could get working on the BeagleBone.

As it was a problem to get wireshark compiled on the beaglebone after some skype sessions with Patrick Vogelaar, Graduate student in Advanced Communications at Napier in Edinburgh we thought of the problem in a different way. Instead of porting ressource consuming wireshark to the beaglebone we use tcpdump on the bone to just monitor the traffic. The traffic is tehn piped through ssh to the host computer and then analyzed by wireshark. So we get use the full capability of wireshark on a host computer and use lean tcpdump on the beaglebone.


Installation Instructions

Prerequisites

Hardware requirements:

  • Beagle Bone Black
  • Linux host computer running Ubuntu 12.04 LTS or later
  • USB cable
  • Ethernet Cable

Software requirements:

  • Wireshark
  • The g++ compiler
  • Make

If you do not have these, you can get them with these commands:

sudo apt-get install wireshark
sudo apt-get install g++
sudo apt-get install make

Getting the sources:

Do a git clone on our repository to get all the sources you need and do an ls to see them:

git clone git@github.com:manuelstephan/eLinuxProject.git 
ls
confused.pcap  Makefile   ooP.cpp        README.md  wireparser.cpp
main.cpp       Makefile~  original.pcap  run.sh     wireparser.hpp

You should have a matching directory from above, if not, do a git pull

To build the binary of the wireparser you just have to type make. No additional configuration is required.

make
g++ -c wireparser.cpp
g++ -c main.cpp
g++ -o wireparser wireparser.o main.o

Confiugration and Setup:

Now you need tcpdump so ssh to your beaglebone and check if tcpdump is installed:

ssh root@192.168.7.2
which tcpdump 
/usr/sbin/tcpdump

Make sure tcpdump exists and is configured to the path: /usr/sbin/tcpdump

If it isn't installed, install it:

opkg install tcpdump

It should automatically configured to the path: /usr/sbin/tcpdump

Now you need an ssh-id on the beaglebone so you can log onto it without typing a password. The script that sets up and runs program needs it to work. Otherwise the process of typing in a password interferes with it.

First do a ssh-keygen:

ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/bp/.ssh/id_rsa): wire      
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in wire.
Your public key has been saved in wire.pub.
The key fingerprint is:
99:e4:9d:14:af:ec:e7:e7:39:9a:4d:e2:3c:31:16:ba bp@bp-HP-EliteBook-8530w
The key's randomart image is:
+--[ RSA 2048]----+
|          .      |
|           o     |
|        . . .    |
|       o * o.    |
|        S =. .   |
|         .. +    |
|          .ooo.  |
|          E=.=o. |
|            *=+. |
+-----------------+

You should get something similar to above. Now copy the key to the beaglebone:

ssh-copy-id root@192.168.7.2
Now try logging into the machine, with "ssh 'root@192.168.7.2'", and check in:
 ~/.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.

From here just type exit

Now everything is prepared for the actual operation. See User Instructions in the next section to learn how to do a live capture on the beaglebone via the host and wireshark.

Here is a link to the github page from where the git clone operation above is running on: https://github.com/manuelstephan/eLinuxProject

User Instructions

Before you start, make sure the beaglebone is connected via USB to your host computer.

1) Run capture.sh (eth0 or usb0)

If you haven't already previously, make sure you run make in the eLinuxProject git directory

make
g++ -c wireparser.cpp
g++ -c main.cpp
g++ -o wireparser wireparser.o main.o

Now run the capture.sh script:

./capture.sh eth0 or ./capture.sh usb0 
Capturing from eth0
wireshark is installed on your system.
mkfifo /tmp/myfifo0 was created .. 
mkfifo /tmp/myfifo1 was created .. 
Starting tcpdump ...
Tcpdump running ...
Starting wireshark ... 
Wireshark running ... 
Starting wireparser ... 
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

capture.sh takes in an interface parameter (eth0 or usb0) according to what part of the beagle bone you are watching

This runs the script that sets up and runs everything. After this script is ran, wireshark should open up:


Wireshark upon opening.
Now connect to the beaglebone's ethernet port and wait for the packets to arrive. Once they arrive, you should see something like this:


Once everything is installed, how do you use the program? Give details here, so if you have a long user manual, link to it here.

Highlights

Here is where you brag about what your project can do.

Include a YouTube demo.

Theory of Operation

Overview of the System.

This part is currently under construction ... so the information provided is not jet finalized ...

The beaglebone black is attached to ethernet. Tcpdump is running on the beaglebone in a special mode and listens to eth0. The beaglebone is connected with a host via ssh over the usb interface. All data captured by tcpdump is forwarded over ssh to the host computer. The host computer provides 2 named pipes so called fifos. All the ssh traffic is piped to the first fifo. The wireparser reads out of the fifo and filters non pcap stuff out. Then the filtered packages are piper to fifo2. Wireshark is started in a special mode to read out of fifo 2 and provides a graphical interface for analysis of the packets.

No matter that we are using very low ressource consuming tcpdump on the beaglebone we do have the capability for live captures and analysis of the networktraffic.

Work Breakdown

Job to do: Get wireshark running on the beagelbone black.


Requirements Specification

The user shall be able to monitor tcp/ip traffic on the beaglebone black. The user shall be able to use wiresharks large capabilities to filter and analyze datapackets.

The user should be able to use a graphical interface.


Major tasks: Evaluation of the portability of wireshark to the beaglebone black.

Cross compile approach.

Thinking of the problem in a different way. Evaluating if the traffic can be monitored in a other way.

Find out how to filter out ssh relikts.

Writing the parser.

Testing the parser.

Find out how named pipes work. Putting it all together Write a makefile to compile the sources.


List the major tasks in your project and who did what.

Also list here what doesn't work yet and when you think it will be finished and who is finishing it.


Timeline and major milestones of the project.

Future Work

Suggest addition things that could be done with this project.

Conclusions

Give some concluding thoughts about the project. Suggest some future additions that could make it even more interesting.


Special Thanks to:

B.Eng Patrick Vogelaar, Graduate Student in Advanced Communications at Napier University in Edinburgh for giving us the idea to use named pipes and our current setup to solve this problem.



thumb‎ Embedded Linux Class by Mark A. Yoder