packet-capture interview questions
Top packet-capture frequently asked interview questions
I need to capture HTTP traffic in the browser. TamperData is an extension to track and modify http/https requests
I am aware of tools like Fiddler, but I am looking for an addon that runs inside the web browser as extension.
Source: (StackOverflow)
I opened a pcap in wireshark and it displays a lot of packets as "tcp segment of a reassembled pdu". How wireshark is able to determine which tcp packets are segments of a reassembled pdu ? I am not able to find any header field or anything else by which wireshark can determine this.
Any help will be greatly appreciated. THANKS !!!
Source: (StackOverflow)
I wrote a simple server app in C which runs on localhost. How to capture localhost traffic using Wireshark?
Source: (StackOverflow)
How can I sniff packets from my iPhone on my network? can someone give me some instructions? I tried Googling, but nothing teaches how to sniff iPhone packets、
I am on windows.
Source: (StackOverflow)
I am running tcpdump on DD-WRT routers in order to capture uplink data from mobile phones. I would like to listen only to some mac addresses. To do this I tried to run the command using a syntax similar to Wireshark:
tcpdump -i prism0 ether src[0:3] 5c:95:ae -s0 -w | nc 192.168.1.147 31337
so that I can listen to all the devices that have as initial mac address 5c:95:ae.
The problem is that the syntax is wrong and I was wondering if anyone of you knows the right syntax to get what I want.
Source: (StackOverflow)
I'm trying to implement a simple firewall for android with VpnService for BS project. I choose VpnService because it will be working on non-rooted devices. It will log connections and let you filter connection. (Based on IP)
There is an application doing this so it is possible.
Google play app store
I did some research and found that VpnService creates a Tun interface. Nothing more. (No VPN implementation just a tunnel) It lets you give an adress to this interface and add routes. It returns a file descriptor. You can read outgoing packages and write incoming packages.
I created a VpnService derived class and I started service. I can configure tun0 with VpnService.Builder class. When I look at mobiwol's connection with adb shell netcfg it creates a tun0 interface with 10.2.3.4/32 address. It routes all packages to this private network and send to internet. I'm trying the same. Created an interface with 10.0.0.2/32 address. Added a route with addRoute function. 0.0.0.0/0 so I can capture all packages from all network as far as I understand. (Im pretty new to this subject and still learning. I found pieces over internet so Im not really sure. Correct me if I'm wrong.)
I created 2 threads in service. One reads from file descriptor and writes it to 127.0.0.1 with a protected socket. ( Im not really sure if I should read/write to 127.0.0.1. Maybe this is the problem. )
I analyzed packets that I read from file descriptor. For example:
01000101 byte:69 //ipv4 20byte header
00000000 byte:0 //TOS
00000000 byte:0 //Total Length
00111100 byte:60 //Total Length
11111100 byte:-4 //ID
11011011 byte:-37 //ID
01000000 byte:64 //fragment
00000000 byte:0 //"
01000000 byte:64 //TTL
00000110 byte:6 //Protocol 6 -> TCP
01011110 byte:94 //Header checksum
11001111 byte:-49 //Header checksum
00001010 byte:10 //10.0.0.2
00000000 byte:0
00000000 byte:0
00000010 byte:2
10101101 byte:-83 //173.194.39.78 //google
00111110 byte:-62
00100111 byte:39
******** byte:78
10110100 byte:-76 // IP option
01100101 byte:101
00000001 byte:1
10111011 byte:-69
//20byte IP haeder
01101101 byte:109
. . //40byte data (i couldnt parse TCP header,
I think its not needed when I route this in IP layer)
. .
. .
00000110 byte:6
I didnt find any other IP header in the rest of data. I think there should be an encapsulation between 10.0.0.2 network to local network (192.168.2.1) and internet. I'm not sure.
My real problem is I stuck on the incoming packages thread. I cant read anything. No response. As you can see in screenshot no incoming data:
screenshot
I'm trying to read from the same connection which I'm using for writing to 127.0.0.1 with protected socket.
Android <-> Tun Interface (tun0) <-> Internet connection
All packages <-> 10.0.0.2 <-> 127.0.0.1? <-> 192.168.2.1 <-> Internet?
I couldnt find anything helpful about VpnService. (ToyVPN example is just useless) I read documents about Linux Tun/Tap but its about tunnelling between host and remote. I want host and remote on same device. Not like tunneling.
How can I do this?
Anything helpful would be appreciated. (Books, examples, basic information...) I'm sorry about my bad English. English isn't my first language.
Edit: Code requested. It is in very early stage. As I mentioned before it is a VpnService derived class. 2 threads (reading and writing) created in service thread.
package com.git.firewall;
public class GITVpnService extends VpnService implements Handler.Callback, Runnable {
private static final String TAG = "GITVpnService";
private String mServerAddress = "127.0.0.1";
private int mServerPort = 55555;
private PendingIntent mConfigureIntent;
private Handler mHandler;
private Thread mThread;
private ParcelFileDescriptor mInterface;
@Override
public int onStartCommand(Intent intent, int flags, int startId) {
// The handler is only used to show messages.
if (mHandler == null) {
mHandler = new Handler(this);
}
// Stop the previous session by interrupting the thread.
if (mThread != null) {
mThread.interrupt();
}
// Start a new session by creating a new thread.
mThread = new Thread(this, "VpnThread");
mThread.start();
return START_STICKY;
}
@Override
public void onDestroy() {
if (mThread != null) {
mThread.interrupt();
}
}
@Override
public boolean handleMessage(Message message) {
if (message != null) {
Toast.makeText(this, (String)message.obj, Toast.LENGTH_SHORT).show();
}
return true;
}
@Override
public synchronized void run() {
try {
Log.i(TAG, "Starting");
InetSocketAddress server = new InetSocketAddress(
mServerAddress, mServerPort);
run(server);
} catch (Exception e) {
Log.e(TAG, "Got " + e.toString());
try {
mInterface.close();
} catch (Exception e2) {
// ignore
}
Message msgObj = mHandler.obtainMessage();
msgObj.obj = "Disconnected";
mHandler.sendMessage(msgObj);
} finally {
}
}
DatagramChannel mTunnel = null;
private boolean run(InetSocketAddress server) throws Exception {
boolean connected = false;
android.os.Debug.waitForDebugger();
// Create a DatagramChannel as the VPN tunnel.
mTunnel = DatagramChannel.open();
// Protect the tunnel before connecting to avoid loopback.
if (!protect(mTunnel.socket())) {
throw new IllegalStateException("Cannot protect the tunnel");
}
// Connect to the server.
mTunnel.connect(server);
// For simplicity, we use the same thread for both reading and
// writing. Here we put the tunnel into non-blocking mode.
mTunnel.configureBlocking(false);
// Authenticate and configure the virtual network interface.
handshake();
// Now we are connected. Set the flag and show the message.
connected = true;
Message msgObj = mHandler.obtainMessage();
msgObj.obj = "Connected";
mHandler.sendMessage(msgObj);
new Thread ()
{
public void run ()
{
// Packets to be sent are queued in this input stream.
FileInputStream in = new FileInputStream(mInterface.getFileDescriptor());
// Allocate the buffer for a single packet.
ByteBuffer packet = ByteBuffer.allocate(32767);
int length;
try
{
while (true)
{
while ((length = in.read(packet.array())) > 0) {
// Write the outgoing packet to the tunnel.
packet.limit(length);
debugPacket(packet); // Packet size, Protocol, source, destination
mTunnel.write(packet);
packet.clear();
}
}
}
catch (IOException e)
{
e.printStackTrace();
}
}
}.start();
new Thread ()
{
public void run ()
{
DatagramChannel tunnel = mTunnel;
// Allocate the buffer for a single packet.
ByteBuffer packet = ByteBuffer.allocate(8096);
// Packets received need to be written to this output stream.
FileOutputStream out = new FileOutputStream(mInterface.getFileDescriptor());
while (true)
{
try
{
// Read the incoming packet from the tunnel.
int length;
while ((length = tunnel.read(packet)) > 0)
{
// Write the incoming packet to the output stream.
out.write(packet.array(), 0, length);
packet.clear();
}
}
catch (IOException ioe)
{
ioe.printStackTrace();
}
}
}
}.start();
return connected;
}
private void handshake() throws Exception {
if (mInterface == null)
{
Builder builder = new Builder();
builder.setMtu(1500);
builder.addAddress("10.0.0.2",32);
builder.addRoute("0.0.0.0", 0);
//builder.addRoute("192.168.2.0",24);
//builder.addDnsServer("8.8.8.8");
// Close the old interface since the parameters have been changed.
try {
mInterface.close();
} catch (Exception e) {
// ignore
}
// Create a new interface using the builder and save the parameters.
mInterface = builder.setSession("GIT VPN")
.setConfigureIntent(mConfigureIntent)
.establish();
}
}
private void debugPacket(ByteBuffer packet)
{
/*
for(int i = 0; i < length; ++i)
{
byte buffer = packet.get();
Log.d(TAG, "byte:"+buffer);
}*/
int buffer = packet.get();
int version;
int headerlength;
version = buffer >> 4;
headerlength = buffer & 0x0F;
headerlength *= 4;
Log.d(TAG, "IP Version:"+version);
Log.d(TAG, "Header Length:"+headerlength);
String status = "";
status += "Header Length:"+headerlength;
buffer = packet.get(); //DSCP + EN
buffer = packet.getChar(); //Total Length
Log.d(TAG, "Total Length:"+buffer);
buffer = packet.getChar(); //Identification
buffer = packet.getChar(); //Flags + Fragment Offset
buffer = packet.get(); //Time to Live
buffer = packet.get(); //Protocol
Log.d(TAG, "Protocol:"+buffer);
status += " Protocol:"+buffer;
buffer = packet.getChar(); //Header checksum
String sourceIP = "";
buffer = packet.get(); //Source IP 1st Octet
sourceIP += buffer;
sourceIP += ".";
buffer = packet.get(); //Source IP 2nd Octet
sourceIP += buffer;
sourceIP += ".";
buffer = packet.get(); //Source IP 3rd Octet
sourceIP += buffer;
sourceIP += ".";
buffer = packet.get(); //Source IP 4th Octet
sourceIP += buffer;
Log.d(TAG, "Source IP:"+sourceIP);
status += " Source IP:"+sourceIP;
String destIP = "";
buffer = packet.get(); //Destination IP 1st Octet
destIP += buffer;
destIP += ".";
buffer = packet.get(); //Destination IP 2nd Octet
destIP += buffer;
destIP += ".";
buffer = packet.get(); //Destination IP 3rd Octet
destIP += buffer;
destIP += ".";
buffer = packet.get(); //Destination IP 4th Octet
destIP += buffer;
Log.d(TAG, "Destination IP:"+destIP);
status += " Destination IP:"+destIP;
/*
msgObj = mHandler.obtainMessage();
msgObj.obj = status;
mHandler.sendMessage(msgObj);
*/
//Log.d(TAG, "version:"+packet.getInt());
//Log.d(TAG, "version:"+packet.getInt());
//Log.d(TAG, "version:"+packet.getInt());
}
}
Source: (StackOverflow)
I'm looking to write a LSP in C# to capture and re-direct UDP packets..
I have little experience with LSP's but I've heard they can do this sort of thing, please correct me if I'm wrong, but is this possible?
I would love some example code but I will take any information or advice anyone can give on the topic. :)
Source: (StackOverflow)
I'm curious as to how I could figure out the API URL an Android application (any app I have installed) uses if it makes API calls to some online server (a RESTful service for example). I presume I have to capture packets on the device and maybe analyse them in Wireshark or something to find the URL? I'm fairly competent in Java/Android development, but a bit lost when it comes to any sort of network analysis business.
Any pointers to useful information or even a brief walk-through would be greatly appreciated.
Thanks
Source: (StackOverflow)
I am attempting to capture localhost(loopback 127.0.0.1) TCP traffic between master-slave (server-client) programs on my PC. Wireshark cannot do this, but I understand that RawCap does.
When I try to run the program, RawCap says "Unable to enter promiscuous mode (RCVALL_ON), using RCVALL_SOCKETLEVELONLY."
Any idea what is causing this?
much thanks!
Source: (StackOverflow)
I have to regularly test the availability and functioning of a movie rental website. I wrote a Windows program which is able to automate a web browser according to a script, so this task is basically solved. Now I have to automate the mobile version of this web application: a native iOS app and a native Android app.
These apps are closed source, so cannot be modified in any way. I think the test app should be deployed on the test devices (iPhone, iPad, Galaxy Tab, Galaxy S II), but I must be able to remote control it. I mean, I would like create a connection between the test devices and a PC, upload test scripts from the PC to the devices, run them, and download the test results to the PC. The test script should start the app to be tested, manipulate its GUI (fill editboxes, push buttons etc.), and follow its response somehow, for example by analyzing the GUI (the existence of some GUI elements, their caption, etc.), analyzing screenshots, and/or inspecting IP packets.
I wrote lots of similar test programs for Windows: I used ShellExecute, PostMessage, FindWindow, the WinPcap library etc., so I know how such a program should work. But since I never wrote applications for mobile OS's, I don't even know whether there are similar APIs and libraries for iOS and Android.
I would like to know where to start, I mean, which SDKs and developer tools could be used to write such an application. I'm also interested in commercial solutions. I would really appreciate any help.
Source: (StackOverflow)
I'm looking for a tool (or a set of tools) for Windows that will perform the following:
- Capture UDP packets from a specific network interface to a file.
- Play a stream of packets from a file through a network interface.
- In addition to 2: replay the original packets to a different host than the original one.
I've already got 1 and 2, but I can't find a tool to do 3.
For capturing I can use Wireshark, for playback Colasoft Packet Player, but I couldn't find a way to change the host the packets are sent to.
The tool should work on Windows XP SP2/3.
Source: (StackOverflow)
Linux has a feature to allow efficient capture of network packets by mmapping a shared buffer between the kernel and user. I'm trying to use this interface in a way that does not require root access (as I don't have it).
Often packet_mmap is used to look directly at all of the packets on the network, which would require root access. My application only requires the use of the standard linux UDP socket interface. I wish to use packet_mmap purely for efficiency - right now syscalls are eating over 50% of my CPU cycles.
Is there a way to configure packet_mmap such that it can be used from userspace?
Source: (StackOverflow)
I want to capture network data packets on android app. Do you have any suggestions or source code to help me understand if this is possible?
Source: (StackOverflow)
I am new to wireshark and trying to write simple queries. To see the dns queries that are only sent from my computer or received by my computer, i tried the following:
dns and ip.addr==159.25.78.7
where 159.25.78.7 is my ip address. It looks like i did it when i look at the filter results but i wanted to be sure about that. Does that filter really do what i am trying to find out? I doubted a little bit because in the filter results i also see only 1 other result whose protocol is ICMP and its info says "Destination unreachable (Port unreachable)".
Can anyone help me with this?
Thanks
Source: (StackOverflow)
interested in any comments anyone has around the various .net tools which can be used for passive packet capture. In terms of winpcap the choice seems to be between pcap.net and sharppcap. Another potential offering is Microsoft's NetworkMonitor and I am sure there are others as well.
I have used ethereal/wireshark as a diagnostic tool occasionally over the years but that is the limit of my knowledge. I'm looking to automate the capture process and subsequent diagnostic processing. I am tending towards pcap.net at the moment but would like to hear from anyone who has used two or more of these tools and whether they'd recommend one over another. My preference would be for the simplest interface/shallowest learning curve. Please let me know your thoughts.
Thanks
Patrick
Source: (StackOverflow)