Wireshark is super powerful! You just need to learn how to increase your chances of finding needles in haystacks. Needles are the packets and frames which hold the forensic truth of what actually happened, the haystack is the rest of the junk packets and frames that usually get scooped up in the process of the capture. Here are a couple of easy steps to filter both in detail and visually for some interesting types of packets.
Filtering for ARP frames in Wireshark is simple. For an existing packet capture just type arp and hit enter/return in the display filter bar. The corresponding packets will show only ones with the protocol type of ARP. to edit.
Filtering for MDNS is equally as simple. In the display filter bar you can type mdns which will filter the displayed packets to those that match the protocol of MDNS.
If you would like to isolate to Apple Bonjour specifically you can write a display filter for packets with a destination IP address of 184.108.40.206 as displayed below.
Once we know how to display specific types of packets in Wireshark we can display those packets in graphs and see their relation to each other. I really like using the I/O Graph function of Wireshark to see the relative percentage of ARP or MDNS packets to the total number of packets in a visual way.
To get to the I/O Graph click on Statistics in the Menu bar and find I/O Graph.
Typically the I/O Graph will open displaying a line graph which represents the packets per second over time like below:
By including extra details using the display filters previously mentioned you can get a visual representation of the number of ARP packets vs the total number of packets per second.
On a quiet network (overnight when no one is around) the ARP protocol might be pretty much the only type of traffic present as devices keep their ARP tables up to date. But during the day you don't want ARP to be a huge percentage of traffic on your main client network segment - this might indicate an issue which would need to be further investigated. To differentiate between the quiet and busy times on your network it is worth taking some sample captures from various points on the network and analysing the packets per second to see what is 'expected' or 'normal'. The more you look at it the more understanding you will get for the norms in your environment.
To include this you simply add an additional graph detail by clicking the Plus button below the graph details pane and entering a new display filter with a customised name:
Be sure to colour your new line in a different colour so you can easily see the difference between it and other lines on the graph. Wireshark can be used in the same way for 802.11 frame captures. For example you might be able to display broadcast frames vs total frames per second within the I/O Graph, or maybe visualise management and control frames vs data frames. As you learn more display filters the I/O Graph function of Wireshark can become very powerful.
Written by Matt Sutherland
Today my Ubertooth One arrived. I ordered this for a couple of reasons… but the main, pressing reason was I wanted to better understand Bluetooth Beacons and I need a way to packet capture in a promiscuous mode much like I can with WiFi. It seems that the Ubertooth One is the simplest and cheapest solution available - from what I found ultimately it was the only option.
The Ubertooth One was created by Michael Ossmann and Dominic Spill from Great Scott Gadgets.
There are a lot of instructions available… and as long as this isn’t your first time using the make command (http://linoxide.com/how-tos/linux-make-command-examples/) and you aren’t scared to type a few commands in to a terminal, command only, window then getting started isn’t too much work. If you aren’t a programmer then having some experience and patience in searching the Internet for answers then give it a go. There are some dependencies and I found this was the best place to get started: https://github.com/greatscottgadgets/ubertooth/wiki/Getting-Started but there are many other websites you will visit in the initial stages of getting your Ubertooth One going.
I had to compile the firmware as the ready to go package was considered old for the host tools. https://github.com/greatscottgadgets/ubertooth/wiki/Firmware I found this out, because someone else had the issue: https://github.com/greatscottgadgets/ubertooth/issues/228
I used the latest GNU-ARM-Embedded toolchain https://developer.arm.com/open-source/gnu-toolchain/gnu-rm/downloads rather than the older one that was linked to elsewhere. Maybe this was good, maybe bad… It works!
Here was a great piece of learning…
Bluetooth packets start with a code that is based on the Lower Address Part (LAP) of a particular Bluetooth Device Address (BD_ADDR). The BD_ADDR is a 48 bit MAC address, just like the MAC address of an Ethernet device. The LAP consists of the lower 24 bits of the BD_ADDR and is the only part of the address that is transmitted with every packet.
I was able to sniff these LAP’s simply with the Ubertooth One as soon as firmware was flashed and libraries and host tools installed.
Simply capturing Bluetooth in Wireshark https://github.com/greatscottgadgets/ubertooth/wiki/Capturing-BLE-in-Wireshark
But the info didn’t contain what I was expecting…
And then I found this… https://github.com/greatscottgadgets/libbtbb/issues/14
I need to compile some plugins for Wireshark so that it can decode the data coming from the Ubertooth correctly. It looks like there is a Mac OS bug.
Next Stop Linux… More to come.
Interesting reading and watching:
Ubertooth Getting Started: https://github.com/greatscottgadgets/ubertooth/wiki/Getting-Started
So you want to track people with Ubertooth: http://ubertooth.blogspot.com.au/2012/11/so-you-want-to-track-people-with.html
I highly recommend watching this youtube video where Michael Ossmann discusses the difficulties of Bluetooth capture and more https://www.youtube.com/watch?v=KSd_1FE6z4Y
Where to buy:
https://www.ozhack.com/shop/bluetooth/ubertooth-one/ - For the Australian's
https://greatscottgadgets.com/ubertoothone/ - for a whole range of international resellers
Written by Matt Sutherland
Every year I donate money to the Wikimedia foundation. If the organisation sounds familiar but you are not sure why it's because you most likely use one of their biggest contributions to the world - Wikipedia.
Every week, some weeks multiple times, I reference and learn from the wealth of information that can be found within Wikipedia. This information is of course contributed by volunteers (essentially) who don't receive payment for their writings and then potentially re-edited by others who have a differing view, opinion or understanding of the topic. It's the openly editeditable nature that leads some to mark Wikipedia as an unreliable source of information. That's fine, I use it all the time and learn a heck of a lot. One website will never be my only source of learning so I build my own resilience to misinformation - at least as good as the common man - and thus I personally vouch for the overall richness of Wikipedia, at least for the topics that interest me.
I give $10. I feel a small amount of good through making a donation to a non-profit organisation that directly benefits me. Critically important to assisting the good feeling is making the process to give simple, hoopless and fast. The Wikiemedia Foundation has not gone the path of many charities where they require direct debit capability and an ongoing commitment with monthly "subscription" style payments (a practice of which I can appreciate the benefits - but frankly it turns me off).
With a simple website I am able to select a $10 donation amount. Other options are available, including a subscription, and it is possible to manually enter an amount also. The modes of payment are simply PayPal or Credit Card/Debit or BPay and the transaction is no fuss and requires as few clicks as are necessary. They have done it right.
I do get very polite emails once an a while from Jimmy Wales, the Wikipedia Founder, asking simply for another donation. He keeps it short and to the point and is clearly grateful. I find the entire thing admirable... maybe it helps that I am a beneficiary in that I can use the site... I won't self-analyse too deeply.
So, the donation goes towards (as copied from the payment site):
Technology: Servers, bandwidth, maintenance, development. Wikipedia is one of the top 10 websites in the world, and it runs on a fraction of what other top websites spend.
People and Projects: The other top websites have thousands of employees. We have about 300 staff to support a wide variety of projects, making your donation a great investment in a highly-efficient not-for-profit organization.
Cool! So I know how much I'm paying... I know who I'm paying and most importantly I know what they use the money for.
I use Wikipedia a lot. Sometimes I find myself surprised that I'm reading a Wikipedia page. It's because there is a distinct lack of adverts and bulky noise that make up the rest of the Internet. There is little to take your attention away from the stuff that matters. You might find this too. I suspect if you're in a technical field and you look to the Internet for quick info you'll find Wikipedia is a common source for you as well. Maybe it's time to help them out? Just a little bit...
Thanks Wikimedia Foundation, Thanks Jimmy and thanks to all the Wikipedia contributors.
We build and optimise networks. Continuous learning is our secret to being good. Along the learning journey we will share things here...