I am looking for a tool (preferably on Linux) that can sniff UDP traffic and record only the application layer to file(s).
I couldn't make tcpdump/wireshark to do so, as they always write the lower layers' headers too.
I tried working with snort (./snort -qd -l ./logs), but it kept storing data to files even if there was no application layer data in a packet.
Perhaps somebody knows such a tool...
oh, and the UDP traffic is also multicast...
I tried also the multicat (VideoLAN's). They claim it's the netcat of multicast. But I don't know, besides the payload that I send manually using the netcat, it also stores some other binary garbage (for me)...
Anyone familiar with multicat?
Wireshark has filters that parse most protocols headers, and will definitely recognize UDP, IP, Ethernet, etc headers. I am not sure what you want to accomplish with the logging, but if the format of the file is important (i.e. that no headers should even be stored to file), you could try using a UDP proxy.
Using netcat, you could do something like
nc -u -l 12345 | tee mydumpfile.out | nc -u target.example.com 12345
You have to do the reverse as well to dump 2-way communication. If you are doing this for reverse engineering, you may have to edit your /etc/hosts file as well to point the target DNS name to localhost. I did this for TCP connections a couple of times, but I did not try it for UDP, there may be problems with packet boundaries etc due to buffering of the piped data.
If you want maximum control, write it yourself (it is only a dozen or so lines if you use e.g. Python+Twisted)
Related
Is there some sort of tools to debug bittorrent?
e.g. I wish to query tracker to get peer list.
I wish to check if I able to connect to certain peer.
I have odd behavior in my home network.
I wish to understand how it works and I can't find any tools to simulate torrent.
PS I already made a simple python app to check if I can receive UDP packets
import socket
port = 50000
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.bind(("", port))
print "waiting on port:", port
while 1:
data, addr = s.recvfrom(1024)
print data
and I can send ncat $IP $PORT -u -v
But now when I know I can send packet to certain port and it is opened.
I wish to check if I can talk with torrent app on that port.
One torrent client works and other don't I want to know what is wrong.
There is no "The Bittorrent Debugger", but you can use various tools to diagnose problems.
You can use nmap locally or web services providing a frontend to remote nmap instances to probe the reachability of ports.
You can use wireshark with the bittorrent dissector to debug the protocol itself, some understanding of the bittorrent protocol is required for that.
Some clients (e.g. vuze) provide very verbose logging, down to individual bittorrent messages which can help with diagnosing problems.
You can run a second client on a different port or on a virtual machine and have them talk to each other over the local network to exclude potential router/firewall issues.
What I have done to debug protocol issues in my own code is that I have various VMs/containers set up with 1 running a tracker (opentracker) and others running various clients and my host running my own client which I test regularly. Then I selectively start and stop the clients and make them talk to my client and the tracker and then I can easily analyze all the bittorrent traffic that's passing through between all the pieces with wireshark. You can easily extend the same setup to include multiple machines in a real network rather than VMs/containers and virtual networks.
To "make" the clients talk to each other, just create a torrent with one of the clients (most clients can make torrents from files you have) and add your own tracker to the torrent. Then add the torrent file to your other clients and they start talking to each other and distributing the data immediately.
At the end, you'll have something like this:
+-----------+
Debug client <----> | | <----> opentracker <--------> another client
^ | Wireshark | ^
| | | |
+------------> | | <-----------------------------------+
+-----------+
And you can precisely analyse the traffic you're getting through the bittorrent protocol. Wireshark even has dissectors for bittorrent TCP protocol, so you don't even have to decipher the cryptic bytes yourself.
Note that you'll have to know about the protocol itself:
Protocol and .torrent file spec
Tracker spec
I'm thinking about writing an anti-keylogger/anti RAT application. Basically, what I want it to do is this:
Monitor outgoing ftp traffic (maybe monitor all outgoing traffic and have an option to filter by ftp)
Analyze headers to find potential keyloggers/RATs
Sniff out the FTP address for any such connections
Block (or give user the option to block) connections to these addresses
I think I can handle steps 1-3, and I know I could block all FTP traffic, but how could I go about blocking specific addresses?
On a side note, can anyone suggest some libraries that might make steps 1-3 easier? Or libaries that'll do step 4, if they exist. I don't mind writing code to target multiple OS.
Snort allows you to monitor incoming/outgoing traffic and works based on a set of rules specified in a file. Once you've detected traffic going out that has a certain IP/port/body using snort, use SnortSAM in conjunction with a firewall to block traffic to that IP/port.
I discovered almost accidentally that my machine was sending and receiving UDP packets to a machine in Poland. Not that I have any problem with Poland, I just don't know why my laptop has the need to communicate with a server there. Reverse DNS shows just the ISP providing the address to some end user. Using Wireshark, I can monitor the messages, which were indecipherable as they were probably encrypted. All packets sent from my machine had the same source port, so clearly the application that sent them opened this UDP socket to use it. I am searching for ways to:
1) enumerate all current sockets open in the system, including the process that created it and, for both TCP and UDP, what ports and addresses they are current bound to.
2) because applications can open these sockets, use them, and close them right away, I would love to find (or perhaps even write) a program that once started would somehow get notification each time a socket gets created, or really more importantly when bound to a source and/or destination address and port. For UDP, I would love to also be able to monitor/keep track of the destination IP addresses and ports that socket has sent messages to.
I don't want to monitor the traffic itself, I have Wireshark if I want to view the traffic. I want to be able to then cross reference to discover what application is generating the packets. I want to know if it is from a process I trust, or if it is something I need to investigate further.
Does anybody know of any applications (for the Windows platform) that can do this? If not, any ideas about a .NET or Windows API that provides this capability, should I want to write it myself?
Edit:
After further research - looks like the APIs to use are GetExtendedUdpTable and GetExtendedTcpTable, CodeProject.com has some samples wrapping these in .NET (see http://www.codeproject.com/Articles/14423/Getting-the-active-TCP-UDP-connections-using-the-G). So a combination of this API and some sniffer code would be needed to monitor and keep track of what hosts at what ports using what protocol any particular application on your machine is talking to. If I ever get some free time, I'll consider creating this, if you know of an app that does all this, please let me know.
Try SysInternals TCPView. Despite its name, it handles UDP as well.
netstat -b to enumerate all ports along with the process names.
You can try using SysInternals' Process MOnitor (ProcMon.exe or ProcMon64.exe).
It allows for filtering of Processes by "UDP Send" Operation - and provides detailed UDP Connection data, including source and destination addresses(IP) and ports etc.
I have to test the value from client to server using different protocols (Tcp , UDP , Sctp).
Please guide how it can be possible. Is there any way in windows to change the protocol or is there anyway to find it by using software like packet tracer .
Thanks
While the question is not entirely clear, it sounds as though your interested in seeing the information sent between the client and the server when each of those protocols is used.
Windows does not provide a built in utility to view packet data but it can be viewed using a packet analyser such as Wireshark.
In order to see the values sent by each protocol you must run a client for each of the protocols and use it to connect to the server for that protocol. If you don't have a server to connect to, you may need to run one on your local machine.
You can narrow down the data captured to just the protocol you're interested in using a filter in Wireshark If you don't know the protocol being used, you can filter by the port number used for that connection which can be established using the netstat command.
You may need to use netstat -b to show you which programs are using which ports.
If you just have to generate packets using different protocols then the tool like netcat can also help. It supports TCP and UDP and has been ported to windows .
Is it possible to track XWindow protocol with a tool? I thought wireshark would be a good framework to host such an idea but there seems no support. What should be done to achieve this goal?
Wireshark does have the ability to dissect the X-Window protocol.
However: You first have to be able to capture the actual X-Window traffic between an X-client (app) and an X-Server before Wireshark can dissect it.
X-Windows traffic between an app (X-Windows client) and an X-Windows Server both running on your local machine probably uses "Unix Domain sockets" to do direct interprocess communication (IPC) between the client and the server. There's no underlying network protocol used and thus the traffic is (AFAIK) not capturable for dissection by Wireshark).
It's been a while since I've dealt with X but I think basically what is needed is that an X-Server be running on a box such that the server is listening for (and willing to accept) network connections. If an Xclient app on a remote node (or local node ?) then connects to the XServer over the network, you will then be able to capture that traffic for dissection by Wireshark.
X is complicated; If you're not familiar with the details of running X, you'll need to do some reading or ask for additional info. I've long since blanked out details related to X.
It is possible in principle to capture X-Window protocol that goes through Unix socket using strace. Then it is possible to wrap this packet for Wireshark using text2pcap.
Example:
capture X-window protocol frames that goes to X-server with pid 1998 on unix socket with file descriptor 41:
bash$ sudo strace -e trace=read,write -e read=41 -p 1998 2>&1 | grep '^[ ]|' >/tmp/xdata.log
prepare the captured data for wireshark:
bash$ text2pcap -T 1234,6000 /tmp/xdata.log /tmp/xdata.dump
Now one can use wireshark on /tmp/xdata.dump.
Back in the '80s, there was an open source Xwindow proxy program that would be placed between the Server and the client. It was written in 'C' and easily modifiable to count types of messages, or volume of data passing in each direction. It also recognized malformed Xprotocol that would result when folks used the wrong functions in interrupt handlers.
I can't remember the name, but maybe searching on "Xwindow proxy" might help...
I'm not sure what the XWindow protocol is, but you could make a Lua Dissector for Wireshark:
http://wiki.wireshark.org/Lua