Wednesday, January 26, 2011

Wireshark Remoting

The technique whereby a feed handler data is captured and this feed capture is pulled back to your local workstation, for easier analysis and inspection. For more information, see:


1) You are using SSH keys to log in to engines;

2) Your ssh-agent is running (Ubuntu desktops) with your SSH keys added to the keyring.
Most Ubuntu desktops will run ssh-agent for you on login.

3) wireshark is installed on your workstation;
sudo aptitude install wireshark

4) tshark is installed on the engine;
sudo aptitude install tshark

5) You are in the 'wireshark' group on the engine,
and the relevant Linux capabilities are set up as per

A typical Bash command line looks like this (on your local workstation):

$ wireshark -k -i <(ssh hostname tshark -w- -p -i eth1 -f \'tcp portrange 4000-4010\')

Let's review exactly what these arguments mean.

For the local wireshark invocation:
The '-k' flag means 'start capturing immediately'.
The '-i' flag tells wireshark to get its input from a pipe.

The <(...) bash construct is a pipeline invocation, which runs 'tshark' remotely on matrab (in this example) to capture from interface eth1

'ssh hostname tshark' runs tshark, the command-line version of wireshark, remotely on hostname.

The '-w-' flag means: write the raw PCAP format output captured by wireshark, to the standard output of the ssh remoted command, so that the local wireshark GUI on your workstation will pick up the feed.

The '-i' flag specifies the physical interface upon which to tap the traffic. This can only be a single logical Linux network interface.

If you need to capture traffic on more than one interface at once, you will need to configure a bridge interface. This is out of scope for this example. Typically this is only used for non-invasive captures using passive network taps.

Typically, the argument passed to the '-i' flag to tshark is chosen by using the Linux-specific command 'ip route get x.x.x.x' to find the physical Ethernet interface where a feed handler is running.

In this example, we used 'ip route get' to find the physical interface which matrab uses to reach an EBS Ai on the A-feed at Equinix LD4; eth1.

The '-p' flag tells tshark NOT to put the interface into 'promiscuous mode' -- a special hardware mode where a network adapter will pass traffic up the network stack, even if it isn't addressed to any of the *hardware addresses* the adapter is configured for.

Typically this is only needed for closer inspection, or if it's suspected that network addressing is incorrectly configured at either end of a feed. Promiscuous mode carries a penalty in that the system must then process every single packet physically received.

Finally, the '-f' flag specifies a PCAP style filter expression. The syntax for these expressions is NOT the same as the wireshark filter language; it can be found in the manual page for pcap-filter (man 7 pcap-filter).

In this example, we are asking only for all TCP traffic with port numbers between 4000-4010 in *either* the destination *or* source port fields.

PCAP filters are implemented inside the Linux kernel using a virtual CPU. Just-in-time assembly is used to convert the filters to x86 machine language for fast capture. The virtual machine, LPF, is based closely on the original Berkeley Packet Filter (BPF) design from BSD. The virtual machine has 8-bit opcodes, and 32-bit addressing modes.