I'm currently building a project to identify IoT devices on a home network and was wondering if anyone has any idea where I could get my hands on some sample pcaps that include ZigBee traffic on them. I don't currently have the ability to order or have the hardware for sniffing zigBee network traffic and am in a bit of a time crunch so if anyone could help me then I would be very appreciative.
I'm going to interpret your question as "How can I find a packet capture with $protocol". I created a searchable pcap database that you can find protocols with, including ZigBee: https://tshark.dev/search/pcaptable/
To find ZigBee pcaps, search with [zbee in the protocol filter to find pcaps, where
[ indicates a protocol. Without this, you'll search pcap descriptions as well.
zbee is the wireshark display filter family for the ZigBee protocol.
Related
I'm quite a beginner to Wireshark and I got problem using it, I searched the wireshark wiki but seems no promising results. Hopefully I can get some help here.
I am trying to analyze the network traffic between LG smart watch and Android phone, which all go through bluetooth channel. Now I have got the network traffic log file and I can view it by running wireshark <log_file_name>. Problem is how can I extract and retrieve data, or even just remove the bluetooth header and get the original network layer packet, because I can parse the IP layer packet but bluetooth packet is not what I want and what I understand.
I have a small home network that I would like to analyze and capture the traffic on. What are my options for doing this? Ultimately, I would like to use a packet capture library, such as libpcap, to sniff the network in real-time as my router receives packets. I'm mainly interested in HTTP traffic. Thus far, when I run my program, I only seem to be able to see packets sourced or destined to my machine. Is there a way that I may inspect any traffic that travels through my wireless modem/router?
From the research I've done, it seems that the only way this is possible is through ARP poisoning or using a CISCO router that features Embedded Packet Capture.
Has anyone tried either of these and how successful were you? Are these my only options or is there something I may have overlooked?
Hi :) I think ARP poisoning and so on is not so easy to drop in.. ;) but you could start by trying one of the most famous network packets analyzer: Wireshark. Networking is very far to be easy.. :P but Wireshark will help you a lot and, btw, supports also libcap. Hope that helps :)
Could i inject packets to Linux TCP stack without modifying the ethernet driver? Could i do this with using a library or sth ?
Thank you,
If by 'inject packets to Linux TCP stack' you mean send some data that the Linux kernel will treat as a frame coming from an Ethernet interface then you can use a 'tap' device. If an IP packet (layer 3) is good enough, then use a 'tun' device.
http://en.wikipedia.org/wiki/TUN/TAP
http://www.kernel.org/pub/linux/kernel/people/marcelo/linux-2.4/Documentation/networking/tuntap.txt
Libnet
Libnet is a generic networking API that provides access to several protocols. It is not designed as a 'all in one' solution to networking. Currently many features that are common in some network protocols are not available with Libnet, such as streaming via TCP/IP. We feel that Libnet should not provide specific features that are possible in other protocols. If we restrict Libnet to the minimal needed to communicate (datagram/packets) then this allows it to support more interfaces.
Otherwise, if you're just wondering about injecting hand-crafted packets into the network, read the man pages and look for online help with raw sockets. Some good places to start are man 7 raw, man packet, and there are some ok tutorials at security-freak.net, though the code there is not written particularly well for my tastes.
I've been trying to find a tool for monitoring my home network. Before I go into the details, I've looked at a ton of different software and they're either an overkill or don't have what I'm looking for. Hopefully the community can help me with some advice.
My network is quite small. It consists of a modem connected to a D-Link DI-524 router. To this router I have a number of computers hooked up wirelessly.
What I'm looking for is a lightweight tool for monitoring my traffic. The ideal tool would have a GUI that shows an icon of the router, and icons of all devices connected to the router with a bandwidth indicator on the lines connecting the nodes. That's pretty much it.
I'm not sure if my router has SNMP. This might be a dealbreaker since many of the cheaper routers don't. I've also read somewhere that many routers can be monitored over UDP.
Found tnv after quick googling.
tnv (The Network Visualizer or
Time-based Network Visualizer) depicts
network traffic by visualizing packets
and links between local and remote
hosts.
Here is a list of good tools to monitor network activity.
Looks like MRTG was the best tool to use
I have also been pleased with the Serial and USB software provided by HHD Software. I've never used their Network version, but if its as good as the USB and Serial, its probably pretty good. Here is the free trial version.
you can use CACTI and Mikrotik DUDE.
How can I connect a system to a network and sniff for virus/spyware related traffic? I'd like to plug in a network cable, fire up an appropriate tool sand have it scan the data for any signs of problems. I don't expect this to find everything, and this is not to prevent initial infection but to help determine if there is anything trying to actively infect other system/causing network problems.
Running a regular network sniffer and manually looking through the results is no good unless the traffic is really obvious,but I havn't been able to find any tool to scan a network data stream automatically.
I highly recommend running Snort on a machine somewhere near the core of your network, and span (mirror) one (or more) ports from somewhere along your core network path to the machine in question.
Snort has the ability to scan network traffic it sees, and automatically notify you via various methods if it sees something suspicious. This could even be taken further, if desired, to automatically disconnect devices, et cetera, if it finds something.
Use snort: An open source network intrusion prevention and detection system.
Wireshark, formerly ethereal is a great tool, but will not notify you or scan for viruses. Wireshark is a free packet sniffer and protocol analyzer.
Use the netstat -b command to see which processes have which ports open.
Use CPorts to see a list of ports and the associated programs, and have the ability to close those ports.
Download a free anti-virus program such as free AVG.
Setup your firewall more tightly.
Setup a gateway computer to let all network traffic go through. Take the above recommendataions to the gateway computer instead. You will be checking your whole network instead of just your one computer.
You can make Snort scan traffic for viruses. I think this will be the best solution for you.
For watching local network traffic your best bet (with a decent switch) is to set your switch to route all packets out a specific interface (as well as whatever interface it would normally send). This lets you monitor the entire network by dumping traffic down a specific port.
On a 100 megabit network, however, you'll want a gigabit port on your switch to plug it into, or to filter on protocol (e.g. trim out HTTP, FTP, printing, traffic from the fileserver, etc.), or your switch's buffers are going to fill up pretty much instantly and it'll start dropping whatever packets it needs to (and your network performance will die).
The problem with that approach is that most networks today are on switches, not hubs. So, if you plug a machine with a packet sniffer into the switch, it will only be able to see traffic to and from the sniffing machine; and network broadcasts.
As a followup to Ferruccio's comment you will need to find some method of getting around your switches.
A number of network switches have the option of setting up port mirrors, so that all traffic (regardless of the destination) will be copied, or "mirrored", to a nominated port. If you could configure your switch to do this then you would be able to attach your network sniffer here.
Network Magic, if you don't mind something that's not open source.
You can use an IDS, hardware or software
http://en.wikipedia.org/wiki/Intrusion-detection_system