Kathara
Kathara copied to clipboard
KatharaFramework
Add a capture command to analyze Kathará network traffic from the host using Wireshark
- What I did Add the possibility to use Wireshark to analyze the packets on Kathará networks from the host. Under Netkit, vdump (see for example #126) was an unofficial but popular solution for this. This PR can be seen as a better vdump.
$ kathara wire A
will launch Wireshark to capture traffic on network A (using TCP sockets). It is possible to stop and restart the capture in Wireshark at will. Even better, one can capture several networks at once (and use some field in the frame to discriminate based on the network) like so:
$ kathara wire A B C
- How I did it The contribution is in two parts. This PR provides the command part. The repository https://github.com/nopid/wire provides a docker image for a snooping container that is connected lazily to the analyzed networks.
A control socket listen on port 5000. On kathara wire A, the command part send a request on the control port. Upon receiving the line DUMP A, the snooping container checks if network A is already known and responds PORT 5002 if network A can be listened to on port 5002. If the network is not known, it responds NEW PORT 5003 and the command part would connect the network to the snoop container. The command part finally launch the wireshark command to connect on the given port (wireshark -i 'TCP@[127.0.0.1]:5002' -k).
The snoop container can be stopped by kathara wipe -s or via kathara wipe.
The wireshark command path, docker image repository, port range and container name can be customized via settings.
The PR is still missing:
- some proper documentation for the command;
- a solution to remove multicast IPv6 packet coming from the snooping container.
Beware that this PR is based on the multi-arch branch PR #130, not on master. For testing purpose, I compiled a release for macOS and Linux amd64 and arm64.
- How to verify it
Launch a lab and issue kathara wire A where A is a network of the lab.
- Description for the changelog add wire command to capture traffic for analysis in wireshark
Hi @nopid, thanks for the pull request!
I have to deep check what you added/changed in the code. Additionally, I have to check if your solution is compatible with Megalos (Kubernetes Manager).
Mariano.
Hi @nopid and @Skazza94, thank you first for the capturing idea, which would be a nice add-on.
However, I have another idea here (or better said, let me describe, how I captured on Windows/Linux nodes with Docker until now):
I added a wireshark container to the lab.conf
wireshark[0]=A
wireshark[bridged]=true
wireshark[image]="lscr.io/linuxserver/wireshark"
You can thereafter access Wireshark over the bridge interface on port 3000 and use eth0 to capture on collision domain A. Maybe @Skazza94 could add such an entry to the Wiki of Kathara.
Best regards,
Marcel
Hi @nopid and @whatever4711,
We chose to adopt the solution by @whatever4711 since it does not require any change in the code. Moreover, it does not introduce any dependency from external tools.
We added a tutorial page in the wiki: Capture Packets using Wireshark GUI
Many thanks to all for pointing out this solution! We hope to see other PR and suggestions :angel:
Tommaso.
Hi @whatever4711 and @tcaiazzi,
We are well aware of a solution in the line proposed by @whatever4711. Indeed it was what we first tried but due to unsolved issue https://github.com/KatharaFramework/Kathara/issues/135 it was not working properly on every platform (problem on macOS at least).
We have been happily using our PR with a few hundred students last academic year, as it permits simple dynamic wiretapping. I understand that you might not want to adopt it and so we will keep maintaining our own fork on https://github.com/nopid/Kathara (currently 3.5.0 + pip install).
I am looking forward for a simple API to include such unsupported extension into Kathará without forking the entire sourcetree.
Best, Nicolas