How to sniff and dump network traffic

One option: dump to pcap-ng (use -P to dump in the earlier libpcapc) - then convert for chaosreader dumpcap -i wlan0 -w file.cap Pcap-NG (aka NTAR). This format allows for more advanced features than the old libpcap (aka PCAP) format, such as multiple interface types and annotations.

Another option: use tcpdump dump directly to libpcap format tcpdump -i wlan0 -s 65535 -w wlancap.cap

convert from PcapNG to PCAP editcap -F libpcap <infile> <outfile>

Parsing out streams and data

  • Interesting stuff:

chaosreader -nd -m 1k --dir <export dir> <capturefile.libpcap>

  • Detect passwords in the traffic

    datalog=$(date) sudo -s ufw disable ettercap -Tzq -i wlan0 -l “$datalog” ufw enable etterlog -a “$datalog”.eci chown user:user “$datalog”.eci

  • Everything in multiple formats (will be big)

chaosreader -ndve --dir <export dir> <capturefile.libpcap>

-n use http names in the report
-d resolve via DNS knowledge
-r include raw files (will dump HTTPS as well)
-v verbose output
-e spit everything 
-m 1k Ignore streams smaller than 1k

then rm redundant files -

rm *.hex.*
find . -size 0 -delete
/usr/share/fslint/fslint/findup -d
rm session_*.html
rm stream_*.html

(.info and .raw have all the info in more readable format)

http://www.informationelle-selbstbestimmung-im-internet.de/chaosreader.html

Tags: NetSec