The .cap file is captured on AIX v7.1 by iptrace -a -T -b -d XXX.XXX.XX.XXX mycap.cap
when I try to open it with wireshark/tshark on MAC OSX, it shows:
The capture file appears to be damaged or corrupt. (pcap: File has 3130924352-byte packet, bigger than maximum of 262144)
I think it's iptrace's problem. as this is given once I try it with tcpdump -r:
SONGMBP:toibm6 song$ tcpdump -r bk22.cap
reading from file bk22.cap, link-type EN10MB (Ethernet)
-5:-46:-20.131076 [|ether]
tcpdump: pcap_loop: bogus savefile header
SONGMBP:toibm6 song$
my tcpdump version is shipped with MAC OS X.
So why ? thanks in advance.
I dropped the idea. Even ipreport -T on the same host of AIX couldn't parse the data.
Thanksfully newer versions of AIX ships tcpdump with it. So... I'll go for tcpdump instead.
Related
Is there any possibility to capture packets by tcpdump from all devices in MacOS?
In Linux I would use 'sudo tcpdump -i any'. In my MacOS when I execute 'sudo tcpdump -D', I don't see "any" pseudo-device.
Per #ChristopherMaynard:
tcpdump docs specify any as working on linux: On Linux systems with 2.2 or later kernels, an interface argument of ``any'' can be used to capture packets from all interfaces. However, it is not actually OS-specific.
tcpdump accepts the any interface on macos in my testing, so in answer to your question, the analog of any on linux is any on macos:
bash-5.0 $ sudo tcpdump -i any
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
09:43:57.789302 IP6 dsldevice7.attlocal.net.domain > 2600:1700:a700:7340:6dad:2758:c536:f29f.56483: 4283 1/0/0 SOA (85)
09:43:57.789324 IP6 2600:1700:a700:7341:6dad:2759:c536:f29f > dsldevice7.attlocal.net: ICMP6, destination unreachable, unreachable port, 2600:1700:a700:7340:6ded:2759:c536:f29f udp port 56423, length 141
...
tcpdump should have the same options (manpage)
on both macos and linux, apart from those detailed below. If you have an older version of tcpdump (my version is 4.9.3/Apple version 83.200.3), you can update it with brew install tcpdump.
Macos/Linux Tcpdump Differences
You should still look at the manpages when in doubt, but this is a summary of differences:
Linux
-Q direction : Choose send/receive direction (in/out/inout)
Macos
-k : Control display of packet metadata
-Q : Specify a filter expression based on packet metadata
-P : Save to pcapng
Note: Unlike Linux or *BSD, Macos does not support -Q direction.
I have an android device (simulated with Genymotion on top off virtualBox) on my host computer(ubuntu).
which interface I should capture to have both incoming and outgoing traffic of android devices?
Download tcpdump for android from here: https://www.androidtcpdump.com/android-tcpdump/downloads
Use the following commands to setup all the things.
adb root
adb remount
adb push ./tcpdump /system/xbin/tcpdump
ToUse:
adb shell
tcpdump -D
tcpdump -vv -i any -s 0 -w /sdcard/dump.pcap
adb pull /sdcard/dump.pcap .
Then analyze the pcap file in Wireshark if you want.
This answer might help https://stackoverflow.com/a/48062718/20107. It's using Wireshark but it should be easy to adapt to tcpdump.
Without having to launch Wireshark or store and analyze packets later.
How to have a live view of this without that gibberish that websockets do?
tcpdump -nnXSs 0 port 1234
tshark -r out.pcap -Y websocket.payload -E occurrence=l -T fields -e text
The unmasked text is handed off to the "Line-Based text data" dissector, so you need to use the field selector for that, and also set the occurrence to the last instance of that field in the packet to remove "noise". I've also added a filter to limit the output to packets that contain a websocket payload.
by grahamb in https://ask.wireshark.org/questions/60725/how-to-dump-websockets-live-with-tshark
The feature was removed in the version 2.0 of the Wireshark.
So have to get the following packages from Ubuntu trusty 14.04 and install them:
sudo dpkg -i wireshark-common_1.10.6-1_amd64.deb tshark_1.10.6-1_amd64.deb libwireshark3_1.10.6-1_amd64.deb libwsutil3_1.10.6-1_amd64.deb libwiretap3_1.10.6-1_amd64.deb libgnutls26_2.12.23-12ubuntu2.7_amd64.deb libgcrypt11_1.5.3-2ubuntu4.4_amd64.deb
Disable updates:
sudo apt-mark hold tshark
Fix dependencies:
sudo apt install -f
Command to dump content:
tshark -e websocket.payload.text_unmask -Tfields port 1234
I'm trying to run snort in windows, but instead of using -i eth0, can i use remote (rpcap). I'm using windows 7 in vmware
Here is the command i run
c:\Snort\bin>snort -c c:\Snort\etc\snort.conf -l c:\Snort\log --daq pcap --daq-mode inline -i rpcap://[xx.xxx.xxx.xx]:2002/\Device\NPF_{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx}
I run on ERROR:pcap does not support inline
run command snort --daq-list; the result is
Available DAQ modules:
pcap(v3): readback live multi unpriv
Please help, how can i connect and collect data to my remote machine.
Many thanks!
Your problem is that you are trying to operate in inline mode and read a pcap, which doesn't make sense. You would do one or the other. Notes:
The argument "--daq pcap" isn't required for you because pcap is the default, but this won't cause any problems, just a note.
The argument "--daq-mode inline" should be completely removed from the command. You are playing a pcap so the device isn't inspecting traffic inline, it doesn't make any sense to use this here.
Using the -i option is for specifying the interface to listen on. You don't want to specify a pcap file here. Since you are replaying a pcap you need to change this argument to "-r". snort help for this option: -r <tf> Read and process tcpdump file <tf>
Your command should be as follows:
c:\Snort\bin>snort -c c:\Snort\etc\snort.conf -l c:\Snort\log -r rpcap://[xx.xxx.xxx.xx]:2002/\Device\NPF_{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx}
Is there a way a send custom (and event undemanded) arp responses via shell (e.g. by hand or by a shell script) on MacOS X or any other UNIX?
In addition, is there a way of making the software ask for the MAC representation for all IPs in the current subnet without sending pings the anyone?
Yes there is. This kind of activity is used in ARP Spoofing and ARP Poisoning attacks and is preformed for ex. by arpspoof. If You want to discover host's MAC, when You know its IP and it is located in Yours broadcast domain (LAN), use arping. ARP is layer 2 protocol, so it's packets are not forwarded by routers but it's much more reliable then ICMP echo (ping).
Some tools:
arp - standard program (win/unix)
used to list host's IP-MAC address
association cache, which contains
already learnt IPs
arping - unix program which sends ARP
Request for a given IP and displays
MAC contained in received ARP Response
arpspoof - a program from dsniff package generating bogus ARP Responses
A packet generator might do the trick. The wikipedia page links to some implementations but I don't know if they work on OSX.
There are also arp-scan using libpcap; and arpdropper using libnet.
To passively (or actively) sniff your network for ARP packets and display the IP and MAC address of the machine that generated the packet you may use a Mac OS X application called ArpSpyX.
# arpdropper requires http://sourceforge.net/projects/libnet-dev/ to compile
# (libnet & arpdropper successfully compiled on Mac OS X 10.6.8)
curl -LO http://thebends.googlecode.com/svn/trunk/misc/arpdropper.c
gcc -Wall -Wextra -lnet -o arpdropper arpdropper.c
./arpdropper
# Usage: ./arpdropper -i <device> -s <source ip> -d <dest ip>
# For arp replies:
# ./arpdropper -r -i <device> -s <source ip> -m <source mac> -d <dest ip>
# using nmap
# get a pre-compiled Mac OS X version of nmap at:
# http://nmap.org/download.html#macosx or
# http://www.berndsworld.com/downloads/
nmap -PR -oN nmap-arpscan.txt 192.168.0.0/16