ECE497 Project WireShark
Embedded Linux Class by Mark A. Yoder
Team members: Ben Paras, Manuel Stephan
Contents
Grading Template
I'm using the following template to grade. Each slot is 10 points. 0 = Missing, 5=OK, 10=Wow!
00 Executive Summary 00 Installation Instructions 00 User Instructions 00 Highlights 00 Theory of Operation 00 Work Breakdown 00 Future Work 00 Conclusions 00 Demo 00 Late Comments: I'm looking forward to seeing this. Score: 10/100
(Inline Comment)
Executive Summary
We want to try to port WireShark and see what we could get working on the BeagleBone.
As it was a problem to get wireshark compiled on the beaglebone after some skype sessions with Patrick Vogelaar, Graduate student in Advanced Communications at Napier in Edinburgh we thought of the problem in a different way. Instead of porting ressource consuming wireshark to the beaglebone we use tcpdump on the bone to just monitor the traffic. The traffic is tehn piped through ssh to the host computer and then analyzed by wireshark. So we get use the full capability of wireshark on a host computer and use lean tcpdump on the beaglebone.
Installation Instructions
Prerequisites
Hardware requirements:
- Beagle Bone Black
- Linux host computer running Ubuntu 12.04 LTS or later
- USB cable
- Ethernet Cable
Software requirements:
- Wireshark
- The g++ compiler
- Make
If you do not have these, you can get them with these commands:
sudo apt-get install wireshark sudo apt-get install g++ sudo apt-get install make
Getting the sources:
Do a git clone on our repository to get all the sources you need and do an ls to see them:
git clone git@github.com:manuelstephan/eLinuxProject.git ls confused.pcap Makefile ooP.cpp README.md wireparser.cpp main.cpp Makefile~ original.pcap run.sh wireparser.hpp
You should have a matching directory from above, if not, do a git pull
To build the binary of the wireparser you just have to type make. No additional configuration is required.
make g++ -c wireparser.cpp g++ -c main.cpp g++ -o wireparser wireparser.o main.o
Confiugration and Setup:
Now you need tcpdump so ssh to your beaglebone and check if tcpdump is installed:
ssh root@192.168.7.2 which tcpdump /usr/sbin/tcpdump
Make sure tcpdump exists and is configured to the path: /usr/sbin/tcpdump
If it isn't installed, install it:
opkg install tcpdump
It should automatically configured to the path: /usr/sbin/tcpdump
Now you need an ssh-id on the beaglebone so you can log onto it without typing a password. The script that sets up and runs program needs it to work. Otherwise the process of typing in a password interferes with it.
First do a ssh-keygen:
ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/bp/.ssh/id_rsa): wire Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in wire. Your public key has been saved in wire.pub. The key fingerprint is: 99:e4:9d:14:af:ec:e7:e7:39:9a:4d:e2:3c:31:16:ba bp@bp-HP-EliteBook-8530w The key's randomart image is: +--[ RSA 2048]----+ | . | | o | | . . . | | o * o. | | S =. . | | .. + | | .ooo. | | E=.=o. | | *=+. | +-----------------+
You should get something similar to above. Now copy the key to the beaglebone:
ssh-copy-id root@192.168.7.2 Now try logging into the machine, with "ssh 'root@192.168.7.2'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
From here just type exit
Now everything is prepared for the actual operation. See User Instructions in the next section to learn how to do a live capture on the beaglebone via the host and wireshark.
Here is a link to the github page from where the git clone operation above is running on: https://github.com/manuelstephan/eLinuxProject
User Instructions
Before you start, make sure the beaglebone is connected via USB to your host computer. After that, follow this one step to get everything running.
1) Run capture.sh (eth0 or usb0)
If you haven't already previously, make sure you run make in the eLinuxProject git directory
make g++ -c wireparser.cpp g++ -c main.cpp g++ -o wireparser wireparser.o main.o
Now run the capture.sh script:
./capture.sh eth0 or ./capture.sh usb0 Capturing from eth0 wireshark is installed on your system. mkfifo /tmp/myfifo0 was created .. mkfifo /tmp/myfifo1 was created .. Starting tcpdump ... Tcpdump running ... Starting wireshark ... Wireshark running ... Starting wireparser ... tcpdump: WARNING: eth0: no IPv4 address assigned tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
capture.sh takes in an interface parameter (eth0 or usb0) according to what part of the beagle bone you are watching
This runs the script that sets up and runs everything. After this script is ran, wireshark should open up:
Now connect to the beaglebone's ethernet port and wait for the packets to arrive. It should take a few seconds. Once they arrive, you should see something like this:
Now you can connect anything to either the usb0 or eth0 port of the beaglebone and monitor the traffic.
For more information check out this youtube video tutorial on Wireshark: http://www.youtube.com/watch?v=UFAA_7lpkTE
or visit http://www.wireshark.org/docs for more tutorials on Wireshark.
Highlights
Things we can do:
- Monitor traffic on the beagle though the USB cable to the host using Wireshark
Here is where you brag about what your project can do.
Include a YouTube demo.
Theory of Operation
Components:
- Named pipes - These are basically FIFOs. Many processes can share data through the named pipe.
- tcpdump - A powerful commandline packet analyzer. It is very efficient to use on embedded systems due to its efficiency. The beaglebone also comes with this already installed. It is possible to forward tcpdump traffic over ssh.
- wireshark - A packet analysis tool that comes with a GUI. This is very resource-consuming so it is not ideal to use this on an embedded system. The captures from wireshark also take up a lot of space so its a good idea to be running wireshark on a more powerful system such as your host computer.
- .pcap - These are packet capture files. The following is the file format of .pcacp files (courtesy of wiki.wireshark.org):
This format is supported by both wireshark and tcpdump. The Global Header has a magic number that you need to look for in order to parse the traffic.
typedef struct pcap_hdr_s {
guint32 magic_number; /* magic number */
guint16 version_major; /* major version number */
guint16 version_minor; /* minor version number */
gint32 thiszone; /* GMT to local correction */
guint32 sigfigs; /* accuracy of timestamps */
guint32 snaplen; /* max length of captured packets, in octets */
guint32 network; /* data link type */
} pcap_hdr_t;
The magic number ( 0xa1b2c3d4 (identical) or 0xd4c3b2a1 (swapped) ) is always located at the beginning at the global header.
- wireparser - This is a c++ program that looks for the magic number and throws away everything before the magic number. After if finds the magic number, the rest of the data is passed through.
Operation workflow:
1) Check for existing FIFOs and delete them if they do exist - existing FIFOs may have junk information
2) Create 2 FIFOs in /tmp - myfifo0 and myfifo1
3) Start tcpdump in the background on the beaglebone with the parameters to use pcap format, listen to a specified interface (usb0 or eht0), and then pipe it to /tmp/myfifo0
4) Start wireshark in the background on the host with the parameters to start the capture immediately, capture the interface (/tmp/myfifo1)
5) Start the wireparser which will read from /tmp/myfifo0 , filter it, and write it to /tmp/myfifo1 from which wireshark will read from
6) Any data through tcpdump should appear in the wireshark graphical interface
7) Once finished with capture, CTRL+C to stop everything (wireshark , wireparser, and tcpdump)
All these steps are done in the capture.sh script that was made. See the graphic below for a visualization of the how the programs interact:
The graphic above represents what occurs in the whole process and is explained as follows:
1) The packets captured by tcpdump on the beaglebone from the specified interfaced interface are forwarded over ssh to the 1st FIFO on the host computer
2) The wireparser reads from the 1st FIFO and looks for the magic number 0xa1b2c3d4
3) Everything before the magic number is filtered out and the rest of the data (including the magic number) is passed to the 2nd FIFO
4) The 2nd FIFO now contains only data in the .pcacp format from which wireshark will read from
5) Now wireshark has all the traffic data from the beaglebone and can now be analyzed using the GUI provided
Work Breakdown
Job to do: Get wireshark running on the beagelbone black.
Requirements Specification
The user shall be able to monitor tcp/ip traffic on the beaglebone black. The user shall be able to use wiresharks large capabilities to filter and analyze datapackets.
The user should be able to use a graphical interface.
Major tasks:
Evaluation of the portability of wireshark to the beaglebone black.
Cross compile approach.
Thinking of the problem in a different way. Evaluating if the traffic can be monitored in a other way.
Find out how to filter out ssh relikts.
Writing the parser.
Testing the parser.
Find out how named pipes work. Putting it all together Write a makefile to compile the sources.
List the major tasks in your project and who did what.
Also list here what doesn't work yet and when you think it will be finished and who is finishing it.
Future Work
Suggest addition things that could be done with this project.
Conclusions
Give some concluding thoughts about the project. Suggest some future additions that could make it even more interesting.
Special Thanks to:
B.Eng Patrick Vogelaar, Graduate Student in Advanced Communications at Napier University in Edinburgh for giving us the idea to use named pipes and our current setup to solve this problem.
Embedded Linux Class by Mark A. Yoder
