To experiment with using TShark to analyze how an unknown application is communicating, and what data it is sending and receiving.
When using TShark on the Google Cloud VM, there is a lot of extra "noise" caused by the fact that we are connected over SSH. The SSH client on your machine sends regular updates to the SSH server running on your VM.
In order to not have these show up, you can use the "not port 22" filter like this:
$ tshark -f "not port 22"
Now TShark will print all of the packets it gets, but not the ones coming in or going out on port 22 (which is the SSH port). There will still be some "noise" packets coming in, but it will be many less.
To see this, run this command in one window, and then connect a second SSH window to your VM. Run the following command in that window:
$ wget http://ianfinlayson.net/class/cpsc414/labs/07-reverse
This will download the HTML page for this lab to your VM. You should at that point see a flurry of packets coming in for the HTTP request.
So far we have only used TShark to print various packet fields at the different network layers. But we can also use it to print the data being sent in those packets. This can be done with the "-x" flag:
$ tshark -f "not port 22" -x
This will print packet data onto the screen in a format like this:
$ tshark -f "not port 22" -x 0000 42 01 0a 8e 00 01 42 01 0a 8e 00 03 08 00 45 00 B.....B.......E. 0010 00 34 3b cb 40 00 40 06 91 90 0a 8e 00 03 23 cf .4;.@.@.......#. 0020 3f 09 cc 00 00 50 54 04 45 d6 89 74 53 37 80 11 ?....PT.E..tS7.. 0030 01 45 6d 8f 00 00 01 01 08 0a fc ad f5 9c fa 6f .Em............o 0040 fa 4d .M
There are three main sections here:
Looking at the data can show you what an application is doing on the network. Try to run the wget command again. You should see the HTML text of the lab page show up in the TShark output.
You will be doing some analysis on a network program called "prog". You can download it with the following command:
$ wget http://ianfinlayson.net/class/cpsc414/labs/prog
Then give it executable permissions so you can run it:
$ chmod +x prog
You should run this program in one window and TShark in another window, so you can see what packets it's sending and receiving.
You will need to get TShark to print some other information from packet headers, such as IPs and ports. If you leave off the "-x", then TShark will print this information for you. I recommend finding the IP and port first, then you can use "-f port XXXX" as a filter which will only print the packets for this program.
When you're finished, email your answers to firstname.lastname@example.org.
Copyright © 2019 Ian Finlayson | Licensed under a Creative Commons Attribution 4.0 International License.