How to use tcpdump/wireshark

This describes on to how to use tcpdump/wireshark to capture logs

1. How to use tcpdump/wireshark

Tcpdump is a command line packet sniffer. Packet sniffer is a computer software that captures the incoming and outgoing traffic over a network. Tcpdump runs on all Unix/Linux operating system and it uses libpcap library to capture network traffic.

Wireshark is a Free and Open packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Wireshark is essentially a GUI based alternative to Tcpdump with advanced sorting and filtering options.

These tools enable the following. * capture packets from different kinds of network hardware ( Ethernet, WiFi e.t.c.) * stop the capture on different triggers (for example, the amount of captured data) * filter packets in order to reduce the amount of data to be captured * save packets in multiple files * capture packets from multiple network interfaces

Both tools are ideal to inspect a suspicious program’s network traffic, analyze the traffic flow on the network, and troubleshoot network problems. While tcpdump is command line interface (CLI) based, Wireshark is GUI based with more advanced filtering and sorting options.

1.1. Installation

1.1.1. Tcpdump

Most Linux distributions install a version of Tcpdump as part of a standard operating system package. Kickstart package already has Tcpdump included and since ResolutionMD is installed on a Kickstart version of RHEL, we need not bother about this.

1.1.2. Wireshark

Important: Many organizations do not allow Wireshark (or similar tools) to be used on their network so it does not install or use it on a customer’s network unless there explicit permission to do so.

Wireshark can be downloaded for Windows or Unix/Linux operating systems https://www.wireshark.org/download.html

  1. Use an ssh client to log into the ResolutionMD server with root credentials

  2. Check to see if the required dependencies have been installed, execute the command: rpm -qa | grep -Pi '^(gtk|libpcap|tcpdump)'

  3. The above command should return something similar:

    • rpm -qa | grep -Pi '^(gtk|libpcap|tcpdump)'

    • gtk2-2.24.23-6.el6.x86_64

    • gtk2-engines-2.18.4-5.el6.x86_64

    • tcpdump-4.0.0-3.20090921gitdf3cb4.2.el6.x86_64

    • libpcap-1.4.0-1.20130826git2dbcaa1.el6.x86_64

  4. If necessary install any outstanding dependencies using yum, for example:

    • install GTK: yum install gtk2

    • install libpcap: yum install libpcap

    • install tcpdump: yum install tcpdump

  5. Check to see if any Wireshark applications have been previously installed, execute the command:

    • rpm -qa | grep -i wireshark

  6. If  nothing is returned, then use yum to generate a list of possible Wireshark applications, execute the command:

    • yum list wireshark*

  7. To install the Wireshark application, execute the command:

    • yum install wireshark

  • rpm -qa | grep -Pi '^(gtk|libpcap|tcpdump)'

  • gtk2-2.24.23-6.el6.x86_64

  • gtk2-engines-2.18.4-5.el6.x86_64

  • tcpdump-4.0.0-3.20090921gitdf3cb4.2.el6.x86_64

  • libpcap-1.4.0-1.20130826git2dbcaa1.el6.x86_64

  • install GTK: yum install gtk2

  • install libpcap: yum install libpcap

  • install tcpdump: yum install tcpdump

  • rpm -qa | grep -i wireshark

  • yum list wireshark*

  • yum install wireshark

  1. Select the installer .exe file

  2. Launch the installer

  3. Click Yes to allow the installer package to make changes to the computer

  4. Click Next to start the installation

  5. Review the License Agreement and click I Agree to continue

  6. Leave the default components selected and click Next

  7. Leave the Associate trace files extensions to Wireshark radio button select and click Next

  8. If desired, specify a Destination Folder, or leave as default and click Next

  9. Ensure the Install WinPcap checkbox is checked and click Next

  10. Check the Install USBPcap checkbox is checked and click Install

  11. The program will begin to install, a dialog box for installing the WinPcap application will pop up; click Next to install the WinPcap application

  12. Review the License Agreement for the WinPcap application and click I Agree to continue

  13. Ensure the Automatically start the WinPcap driver at boot time checkbox is checked and click Install

  14. Click Finish to close the WinPcap installation dialog box

  15. Next, a dialog box for installing the USBPcap application will pop up; check the I accept the terms of the License Agreement checkbox and click Next to install the USBPcap driver

  16. Next, a second dialog box for the USBPcap application will pop up; check the I accept the terms of the License Agreement checkbox and click Next to install the USBPcapCMD license

  17. Leave the default components selected and click Next

  18. If desired, specify a Destination Folder, or leave as default and click Install

  19. Click Close to close the USBPcap installation dialog box

  20. Click Next to complete the installation

  21. Leave the Reboot now radio box selected and click Finish to reboot the computer

Note: Wireshark software requires Mac OS X 10.5.5 or later

  1. Select the installer .dmg file

  2. Double-click on the Wireshark x.x.x Intel 64.pkg file

  3. Click Continue to start the Installation Wizard

  4. Review the Software License Agreement and click Continue

  5. Click Agree to verify that you have read the license

  6. If desired, change the Installation Location, or leave as default and click Install

  7. Enter your user password and click Next

  8. Click Close to close the installation dialog box

1.2. Capturing Packets

Before attempting a packet capture, you will need to ensure the following items have been considered and addressed:

  • Capture Privileges - you must have sufficient privileges to capture packets, (normal user or root/Administrator privileges)

  • Capture Support - the operating system of the server must support packet capturing (that is, capture support is enabled and/or a capture driver is installed) Linux: you need to have "packet socket" support enabled in your kernel; if included, see the "Packet socket" item in the Linux "Configure.help" fil

  • your server’s date, time and time zone settings are correct, ensuring that time-stamps captured are meaningful

1.2.1. Tcpdump Capture

Tcpdump is CLI based and as such not as user-friendly as Wireshark. For customers that have strong policies against Wireshark installation. It is best practice to have them capture and save the tcpdump capture and write it to a file that can then be analyzed locally at our end. The following command will capture all packets and write it to a file named "capture.pcap"

tcpdump -s 0 -w capture.pcap

The file is saved in the current directory and can be opened and analyzed using Wireshark.

1.2.2. Wireshark Capture

The following captures packets and has to be done locally on the server being investigated.

  1. Launch the Wireshark program by double-clicking on the icon

  2. The program will launch and open to "Saved Files" and "Interface List" page where you can select a file to open or which interface to start capturing packets on.

  3. Select the desired Interface, in this example, Local Area Connection was selected. 

  4. Once the interface has been selected, the packets will appear in real-time; Wireshark captures each packet sent to or from your system; NOTES: if you’re capturing on a wireless interface and have promiscuous mode enabled in your capture options, you’ll also see other the other packets on the network;

  5. Click on 'startcapture' to start capture and 'stopcapture' to stop packet capture.

  6. To save captured packets, click on file > Save. Name and save the file appropriately and this can be analyzed later.

Note: The above procedure can be done by a support agent remote or by the customers and the saved packet capture can be sent to us for analysis.

1.3. Sorting and Filtering

When inspecting specific server communication, it is a good practice to close down all other applications using the network. Despite limiting the network traffic in this way, Wireshark will still capture a large number of packets. Use Wireshark’s filters to help sift through the networking messages. There lots of parameters that can be used to sort and filter in Wireshark. The following are a few; 1. Protocols such as TCP, ARP, dicom e.t.c. 2. The presence of a field. E.g. Source, destination, Time e.t.c. 3. Value of a field. An example will be filtering based on a specific IP address (source or destination).

  • The most basic way to apply a filter is by typing it into the Filter field at the top of the application window and clicking Apply. For example, type “tcp” and you’ll see only TCP packets. When you start typing, Wireshark will help you autocomplete your filter.

  • Another method is to click the Analyze drop-down menu and select Display Filters to specify a new filter. From the resultant pop-up window, click (+) to specify/create new Filters or (-) to delete specific filters

Display filter
  • Another method may be following a specific TCP/UDP/SSL communication streams. You can right-click on the desired network communication entry and click Follow and select the appropriate communication type.

Followtcpstream1

 

Followstream2 

 

  1. Click on edit

  2. Then Preferences

  3. Expand Protocols on the left column and click on DICOM

  4. Add the appropriate comma-separated port numbers and click OK

This ensures that applying the dicom filter will capture all associated packets.