apparently I don't understand wireshark....

"Please leave a message at the beep, we will get back to you when your support contract expires."

Moderators: phlip, Moderators General, Prelates

v1nsai
Posts: 332
Joined: Tue Feb 03, 2009 4:15 am UTC
Location: Florida

apparently I don't understand wireshark....

Postby v1nsai » Tue Jun 08, 2010 1:24 am UTC

I'm trying to reverse engineer an iPhone vBulletin viewer that doesn't require a plugin on the server, because I am writing one for Android and am curious how it is done. I'm using Wireshark to try to see the conversation going on between my iPod touch and the remote forum server, but the only packets that show up are packets involving hosts on the local network, all the packets going to or from the internet aren't showing up. I even tried the capture on a promiscuous interface, still nothing. I thought wireshark could see anything that the other hosts on the subnet see? Just for the record, the host running wireshark and my iTouch can ping each other no problem and wireshark sees it.
C:\dos
C:\dos.run
run dos.run

User avatar
phlip
Restorer of Worlds
Posts: 7572
Joined: Sat Sep 23, 2006 3:56 am UTC
Location: Australia
Contact:

Re: apparently I don't understand wireshark....

Postby phlip » Tue Jun 08, 2010 2:43 am UTC

Wireshark can only see packets that actually make it to your computer... if the phone, your computer, and the Internet connection are all plugged into a switch, then the switch will never send the packets through to the computer. All "promiscuous mode" does is that if a packet gets sent along the wire to your computer, but your computer isn't the actual recipient, it'll show it anyway (which means that if you have a hub instead of a switch, which sends all packets to everyone, it'll see everything on the network).

What you need to do is set up your computer as an intermediary between your phone and the net. This isn't actually that hard to do, you just need to set up some forwarding. What OS are you running on the computer? I've done it in Linux, and I think I know how to do it in Windows (but haven't tested it).

Code: Select all

enum ಠ_ಠ {°□°╰=1, °Д°╰, ಠ益ಠ╰};
void ┻━┻︵​╰(ಠ_ಠ ⚠) {exit((int)⚠);}
[he/him/his]

User avatar
Eseell
Posts: 789
Joined: Sun Feb 21, 2010 6:58 am UTC
Location: WA

Re: apparently I don't understand wireshark....

Postby Eseell » Tue Jun 08, 2010 4:31 am UTC

Alternatively, since I recall that you were studying Cisco, if you have a Cisco switch around you can use it as a simple network tap by setting up SPAN ports. You can use SPAN ports to mirror traffic from the wireless access point to your PC.
"Math is hard work and it occupies your mind -- and it doesn't hurt to learn all you can of it, no matter what rank you are; everything of any importance is founded on mathematics." - Robert A. Heinlein

User avatar
hintss
Posts: 1294
Joined: Wed Nov 25, 2009 7:19 am UTC
Contact:

Re: apparently I don't understand wireshark....

Postby hintss » Tue Jun 08, 2010 5:05 am UTC

AFAIK, the way the app would work is that it parses the HTML, and sends POST and GET data like the forum page would. I think that installing tamperdata for firefox or similar would help more.

also, ad-hoc networks are your friends.

v1nsai
Posts: 332
Joined: Tue Feb 03, 2009 4:15 am UTC
Location: Florida

Re: apparently I don't understand wireshark....

Postby v1nsai » Wed Jun 09, 2010 1:37 am UTC

howdy esseel what's up?, don't have a Cisco switch around, both iPod and device are on wireless anyway (do they make wireless switches?)

I'm thinking I'll probably end up writing a parser for the HTML output but I'm hoping there is something a little easier that I haven't thought of that I'll be able to find out.

using tamper data is a really good idea I'll fire it up when I get home. just out of curiousity though how would I need to configure my laptop as an intermediary using Ubuntu? I'm still mad that wireshark isn't doing what I want and that would make me feel like I've won :-D
C:\dos
C:\dos.run
run dos.run

User avatar
phlip
Restorer of Worlds
Posts: 7572
Joined: Sat Sep 23, 2006 3:56 am UTC
Location: Australia
Contact:

Re: apparently I don't understand wireshark....

Postby phlip » Wed Jun 09, 2010 2:34 am UTC

v1nsai wrote:just out of curiousity though how would I need to configure my laptop as an intermediary using Ubuntu?

It's pretty simple... on your phone, set the default gateway to be your laptop (if you're using DHCP, you'll need to switch to a static IP). Keep the DNS settings the same (which'll either be your router or your ISP's DNS servers or something, depending on your setup), only change the gateway. That means that all traffic destined for the Internet will be send to your laptop first.

Then, on your laptop, in a terminal as root, run:

Code: Select all

echo 1 > /proc/sys/net/ipv4/ip_forward
That'll enable IP forwarding (which is disabled by default for security reasons). By default (with no firewall rules in iptables) that means that any packet sent to your computer at the link layer, but with a different IP address at the internet layer, will be forwarded on as appropriate. Basically, turns your computer into a router. In this case, a router with only one connection, which forwards packets out on the same connection they come in on, but still, a router.

Now, any packet your phone sends will be sent to your computer, which will forward them to your router, which will forward them to the 'net. But any packet coming back from the net will be sent directly to your phone from the router. Easiest way to get around this is to set up NAT on the laptop, so that, when the packets from the phone are forwarded by the computer, it pretends they actually came from the computer... so the responses will be sent back to the computer, and it can then forward them back to the phone. To do this, in a terminal as root, run:

Code: Select all

iptables --table nat --append POSTROUTING --source <phone IP address> -j MASQUERADE


At least, I'm pretty sure that's how you do it... it's been a while since I've set that up, I might've forgotten a step.

Code: Select all

enum ಠ_ಠ {°□°╰=1, °Д°╰, ಠ益ಠ╰};
void ┻━┻︵​╰(ಠ_ಠ ⚠) {exit((int)⚠);}
[he/him/his]

User avatar
hintss
Posts: 1294
Joined: Wed Nov 25, 2009 7:19 am UTC
Contact:

Re: apparently I don't understand wireshark....

Postby hintss » Wed Jun 09, 2010 4:32 am UTC

my simple suggestion would have been connecting the router's WAN port to the hub, where the computer is also connected...

immediate edit: parse the RSS, not the HTML...

the.coding.eye
Posts: 52
Joined: Thu Apr 16, 2009 4:56 am UTC
Contact:

Re: apparently I don't understand wireshark....

Postby the.coding.eye » Wed Jun 09, 2010 4:39 am UTC

Another option you could go for is temporally setting up MAC spoofing using Cain and Able*. With Cain and Able you can choose what two devices you want to intercept data between. Depending on the hardware you have available and your comfort (or lack thereof) with the command line this may be easier than using a tap, a monitor port, or configuring your iTouch to send traffic through your laptop.

* Standard disclaimer when using Cain and Abel: only use it on your own network and only for testing purposes.
"In theory, theory and practice are the same. In practice, they are not."

User avatar
phillipsjk
Posts: 1213
Joined: Wed Nov 05, 2008 4:09 pm UTC
Location: Edmonton AB Canada
Contact:

Re: apparently I don't understand wireshark....

Postby phillipsjk » Wed Jun 09, 2010 5:11 pm UTC

If you don't mind the performance penalty, you can use a 10Mbps HUB to tap a specific ethernet cable on your network. I usually kill the DHCP client so that the computer running wireshark does not get assigned an IP address (especially if taping between the router and ADSL modem).

I bought a HUB just for that purpose in the last few years, you you may be able to find one new.

Edit: should have read rather than skimmed the thread before responding :P

Edit: I have not tried it (because I have a HUB), but it is possible to force cheap swtiches into Hub mode
Did you get the number on that truck?

v1nsai
Posts: 332
Joined: Tue Feb 03, 2009 4:15 am UTC
Location: Florida

Re: apparently I don't understand wireshark....

Postby v1nsai » Fri Jun 11, 2010 6:21 pm UTC

hintss wrote:my simple suggestion would have been connecting the router's WAN port to the hub, where the computer is also connected...

immediate edit: parse the RSS, not the HTML...


Wow, thanks for that. I had no idea that vBulletin sites broadcast RSS feeds. That will be a lot easier to parse than the HTML. As far as I can tell from tamperdata it seems like that's what the Forums app on iPhone does.

Got my system running as an NAT between my iPod too, very neat trick I'll remember that one.
C:\dos
C:\dos.run
run dos.run


Return to “The Help Desk”

Who is online

Users browsing this forum: No registered users and 3 guests