Perl script as a sniffer with built-in statistics

Baby Shark

Article from Issue 180/2015
Author(s):

If you need to browse through packets rushing by on the local network, Wireshark provides a useful service. But, if you prefer to build your own tools, why not use the command-line version, TShark, and a terminal-friendly Curses UI?

The easily installed and feature-rich analysis tool Wireshark reveals that calling a single news site on the Internet can cause more than 3,000 network packets to zoom back and forth between the browser and various servers, which can leave the respective user's fingerprints on a couple of dozen different websites.

Gullible Browsers

Have you ever wondered why each port of call on the Internet brings up the goodies you recently perused on Amazon, not to mention those pesky Facebook Like buttons? It seems that the original policy introduced by Netscape back in the dark ages of the Internet to ensure privacy despite cookies has been laid to waste by gatecrashers, such as DoubleClick.

You can now always assume that not only do the pages you surf know that you are back, but so do a dozen other curious sites that pay for the privilege. If you don't take drastic steps, the browser will gullibly broadcast your identity, including your surfing habits, all over the world.

The powerful GUI tool Wireshark (Figure 1) can help sniff out who's looking over your shoulder. This month, however, I'll take a different approach and present a Perl script that can be launched in a terminal window, just like the Top utility (Figure 2). This script shows a constantly updated list of identified targets of all network packets sniffed off the wire – sorted by frequency in which the addresses are resolved into DNS names.

Figure 1: The Wireshark GUI displaying sniffed packets.
Figure 2: The topaddr script outputs the most commonly found package addresses.

One hurdle needs to be covered in advance: The Linux kernel only offers raw network packets to a process, if it is running with root privileges or has equivalent Unix capabilities. Running Wireshark with root privileges appeared too risky to its creators, so they offer wireshark-common as an assisting package. This sets up a new Unix user named wireshark and a Unix group with the same name.

Not as Root

If the admin on an Ubuntu or Debian system runs the following command:

sudo dpkg-reconfigure wireshark-common

the Postinst script spices up the capture script used by Wireshark /usr/bin/dumpcap either with the Linux capabilities cap_net_raw and cap_net_admin (if available) or with a set-user-ID bit, so that each member of the Wireshark Unix group is given access to raw network data. Other distributions add these settings from the outset when the package is installed. Users interested in the raw packets now only need to do this:

sudo usermod -a -G wireshark <Username>

to join the Wireshark group. And, after logging off and back on (yes, no kidding), they can then start collecting packets using the non-privileged account.

Command Line Instead of GUI

Wireshark's little command-line brother TShark, which Ubuntu installs with the command:

sudo apt-get install tshark

has similar capabilities for intercepting and filtering network packets and is therefore suitable for script-based data collection. Because the Ubuntu tshark package also installs the wireshark-common package for support, the above call to dkpg-reconfigure gives TShark access to the raw network data.

A list of responsive network interfaces is output by calling tshark -d; an Ethernet card will appear here, for example, as eth0; a WiFi interface as en0; and the loopback interface as a lo. If you still can't decide and want to listen on all channels at the same time, you can also specify any.

TShark now either stores the incoming data stream 1:1 in binary PCAP format or prefilters the input to save space. For example, using the command

tshark -i any -T fields -e ip.dst

only outputs the target addresses of packets passing through, although this still causes a significant flood of data on an active system.

The idea behind the script in Listing 1 [1] is to field these addresses and other data from the TShark output, accumulate the data, and display the results as an updated list with counters in a terminal running under Curses.

Listing 1

topaddr

01 #!/usr/local/bin/perl -w
02 use strict;
03 use TopGUI;
04 use AnyEvent;
05 use TopCapture;
06
07 my $tsc = TopCapture->new;
08 $tsc->start;
09
10 my $tsg = TopGUI->new();
11 $tsg->reg_cb( "clear", sub {
12    $tsc->reset;
13 } );
14
15 my $my_ip = IO::Socket::INET->new(
16    PeerAddr => 'google.com',
17    PeerPort => 80,
18    )->sockhost;
19
20 my $timer = AnyEvent->timer(
21    after => 0,
22    interval => 1,
23    cb => sub {
24       my( $packets, $dnsmap ) = $tsc->stats;
25
26       my $max = $tsg->{ lbox }->height();
27       my @lines = ();
28
29       for my $name ( sort { $dnsmap->{ $b }
30         <=> $dnsmap->{ $a } }
31       sort keys %$dnsmap ) {
32
33       next if $name eq $my_ip;
34
35       push @lines,
36          sprintf "%4d %s",
37            $dnsmap->{ $name }, $name;
38          last if --$max == 0;
39       }
40       $tsg->update( $packets, \@lines );
41    },
42 );
43
44 $tsg->start;

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Tshark

    The simple and practical Tshark packet analyzer gives precise information about the data streams on the network.

  • Capture File Filtering with Wireshark

    Wireshark doesn’t just work in real time. If you save a history of network activity in a pcap file using a tool such as tcpdump, you can filter the data with Wireshark to search for evidence.

  • Core Technologies

    Learn what's going on in your network, using Linux and its arsenal of packet capture tools.

  • Security Lessons

    Building a network flight recorder with Wireshark.

  • Perl: Monitoring MAC Addresses

    They say darkness is the friend of thieves, but the Perl daemon in this month’s column illuminates dastardly deeds, exposing hidden activities and alerting the admin when things seem to be going awry.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News

njobs Europe
What:
Where:
Country:
Njobs Netherlands Njobs Deutschland Njobs United Kingdom Njobs Italia Njobs France Njobs Espana Njobs Poland
Njobs Austria Njobs Denmark Njobs Belgium Njobs Czech Republic Njobs Mexico Njobs India Njobs Colombia