How to capture MQTT data locally in SSH remote server using Wireshark? - wireshark

I want to capture MQTT packets on the SSH Linux-based remote server using Wireshark from my home. I can capture data go out through the Internet, such as when I use this command line mosquitto_pub -h test.mosquitto.org -t topic -m "Hello", I can see the packets in Wireshark. But, When I publish data in localhost, such as using this command mosquitto_pub -d -h localhost -t hello/world -m "75" I can't see any packets in Wireshark. I want to make a client/server in the same remote server.
I use this command to open Wireshark:
sudo ssh user#x.x.x.x tcpdump -U -s0 -w - | wireshark -k -i -
I know only a basic thing in Wireshark, so please how I solve this?

You didn't specify the interface that tcpdump should capture on. Try adding the -i lo option, as in:
sudo ssh user#x.x.x.x tcpdump -i lo -U -s0 -w - | wireshark -k -i -

Related

How do save tcpdump monitoring container for later analysis

I am using below command to monitor a single container. How can I extend this so that I can save the the tcp dump for later analysis using WireShark.
docker run -it --rm --net container:<container_name> \
nicolaka/netshoot tcpdump ...
tcpdump has an option to send raw captured packets to stdout, send it to a file on host:
docker run -it --rm --net container:<> nickolaka/netchoot tcpdump -w - > packets.dump
or wireshark directly
docker run -it --rm --net container:<> nickolaka/netchoot -i any -w - | wireshark -k -i -

Filter specific API using Tshark

I run
tshark -i eth0 -f "port 80" -w example.pcap
to capture the HTTP traffic. And then I run tshark -r example.pcap -Y xml.tag to filter the xml. Is this the correct way of filtering the API (SOAP/REST)? Are there any other ways of doing it?

How to use mosquitto_pub to publsih the topic/message with specific time interval on the mqtt server?

I am working on Raspberry Pi with os "Raspbian GNU/Linux 8 (jessie)".Now what i am trying is to send the simple message from my raspberry pi to the mqtt server which i have created on the "api.cloudmqtt.com". I am able to send (from raspberry pi to my server) and Receive (from server to my raspberry pi)
with the following Commands
1.
pi#RevPi100102:~ $ mosquitto_pub -h "farmer.cloudmqtt.com" -p "18989" -u "obvrnnss" -P "xxxxxxxxx" -t "Test check" -m "Hello from RevPi"
2.
pi#RevPi100102:~ $ mosquitto_sub -h "farmer.cloudmqtt.com" -p "18989" -u "obvrnnss" -P "xxxxxxxxx" -t "Test check"
After this i tried to send the same message to server using the -r and for this i took help from link for mosquitto_pub
pi#RevPi100102:~ $ mosquitto_pub -h "farmer.cloudmqtt.com" -p "18989" -u "obvrnnss" -P "xxxxxxxxxx" -t "Test check" -m "Hello from RevPi" -r --repeat-delay "2"
I am getting the following error,
Error: Unknown option '--repeat-delay'.
Can someone help me to find where i am going wrong and how to use the command -r and --repeat-delay.I am not expertise in Linux commands.
Firstly the -r flag is not the short version of --repeat or --repeat-delay
From the mosquitto_pub doc
-r,
--retain
If retain is given, the message will be retained as a "last known good" value on the broker. See mqtt(7) for more information.
To get repeating messages you need to use the --repeat flag. This can then be combined with the --repeat-delay flag to set the time between each message being published.
Secondly, the repeat functionality is new, it was only added at version 1.6 of mosquitto. You not said what version you are using but if it is the default that ships with raspbian then it is unlikely you have this feature.

Docker : sharing /dev/snd on multiple containers leads to "device or resource busy"

When adding host device (--device /dev/snd) to a Docker container, I sometimes encounter Device or resource busy errors.
Example
I have reproduced the issue with a minimal example involving audio (alsa). Here's my Dockerfile (producing an image docker-device-example) :
FROM debian:buster
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
alsa-utils \
&& rm -rf /var/lib/apt/lists/*
I am running the following command (speaker-test is a tool to generate a tone that can be used to test the speakers), with /dev/snd shared :
docker run --rm \
-i -t \
--device /dev/snd \
docker-device-example \
speaker-test
Issue
When running the previous command, a pink noise is played, but only under some conditions :
if I am not playing any sound on my host : for example, if I'm playing a video, and that even if the video is paused, the command fails
if I am not running another container accessing the /dev/snd device
It looks like the /dev/snd is "locked" when used, and if that is the case, I got the following output (the error is represented by the last 2 lines) :
speaker-test 1.1.6
Playback device is default
Stream parameters are 48000Hz, S16_LE, 1 channels
Using 16 octaves of pink noise
ALSA lib pcm_dmix.c:1099:(snd_pcm_dmix_open) unable to open slave
Playback open error: -16,Device or resource busy
And, vice versa, if the pink noise is played (on the container), then I cannot play any sound on my host (Ubuntu). But commands on my host does not fail with the same message. Instead, the command on the host (like aplay test.wav to play a simple sound) is blocked indefinitely (even when the container is shutdown afterwards).
I tried to debug by running strace aplay test.way, and the command seems to be blocked on the poll system call :
poll([{fd=3, events=POLLIN|POLLERR|POLLNVAL}], 1, 4294967295
Question
How can I play sounds from 2 (or more) different containers, or from my host and a container, at the same time?
Additional info
I've reproduced the issue with /dev/snd, but I don't know if similar things happen when using other devices, or if it's just related to sound devices or to alsa.
Note also that when running multiple speaker-test or aplay commands simultaneously and all on my host (no containers involved), then all sounds are played.
I can't tell how to solve this with ALSA, but can provide 2 possible ways with pulseaudio. If these setups fail, install pulseaudio in image to make sure dependencies are fullfilled.
ALSA directly accesses sound hardware and blocks access to it for other clients. But it is possible to set up ALSA to serve multiple clients. That has to be answered by someone else. Probably some ALSA dmix plugin setup is the way to go.
Pulseaudio with shared socket:
Create pulseaudio socket:
pactl load-module module-native-protocol-unix socket=/tmp/pulseaudio.socket
Create /tmp/pulseaudio.client.conf for pulseaudio clients:
default-server = unix:/tmp/pulseaudio.socket
# Prevent a server running in the container
autospawn = no
daemon-binary = /bin/true
# Prevent the use of shared memory
enable-shm = false
Share socket and config file with docker and set environment variables PULSE_SERVER and PULSE_COOKIE. Container user must be same as on host:
docker run --rm \
--env PULSE_SERVER=unix:/tmp/pulseaudio.socket \
--env PULSE_COOKIE=/tmp/pulseaudio.cookie \
--volume /tmp/pulseaudio.socket:/tmp/pulseaudio.socket \
--volume /tmp/pulseaudio.client.conf:/etc/pulse/client.conf \
--user $(id -u):$(id -g) \
imagename
The cookie will be created by pulseaudio itself.
Pulseaudio over TCP:
Get IP address from host:
# either an arbitrary IPv4 address
Hostip="$(ip -4 -o a | awk '{print $4}' | cut -d/ -f1 | grep -v 127.0.0.1 | head -n1)"
# or especially IP from docker daemon
Hostip="$(ip -4 -o a| grep docker0 | awk '{print $4}' | cut -d/ -f1)"
Run docker image. You need a free TCP port, here 34567 is used.
(TCP port number must be in range of cat /proc/sys/net/ipv4/ip_local_port_range and must not be in use. Check with ss -nlp | grep 34567.)
docker run --rm \
--name pulsecontainer \
--env PULSE_SERVER=tcp:$Hostip:34567 \
imagename
After docker run get IP of container with:
Containerip="$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' pulsecontainer)"
Load pulseaudio TCP module authenticated with container IP:
pactl load-module module-native-protocol-tcp port=34567 auth-ip-acl=$Containerip
Be aware that the TCP module is loaded after container is up and running. It takes a moment until pulseaudio server is available for container applications.
If TCP connection fails, check iptables and ufw settings.
A How-To summarizing these setups: https://github.com/mviereck/x11docker/wiki/Container-sound:-ALSA-or-Pulseaudio

How do I capture three hosts with Wireshark via command line?

I am successfully able to capture with this command line.
C:\Program Files\Wireshark\wireshark.exe -i 4 -k -b duration:3600 -w c:\capture.pcap
I have tried this method and it pops the Wireshark command line help window.
C:\Program Files\Wireshark\wireshark.exe -i 4 -k -b duration:3600 -w -f 10.0.0.1 and 10.0.0.2 and 10.0.0.3 c:\capture.pcap
I have also tried this way.
C:\Program Files\Wireshark\wireshark.exe -i 4 -k -b duration:3600 -w -f host 10.0.0.1 and 10.0.0.2 and 10.0.0.3 c:\capture.pcap
Neither one of the above work. they both get the same error. I know it is something simple, however I do not know Wireshark well enough.
Thanks.
You have a few problems:
The filename (c:\capture.pcap) must immediately follow the -w flag.
The filter must be "quoted" if it contains spaces.
You must specify the "host" keyword before each address.
The logical operation you want is almost certainly "or", not "and"
Given the above, try:
C:\Program Files\Wireshark\wireshark.exe -i 4 -k -b duration:3600 -w c:\capture.pcap -f "host 10.0.0.1 or host 10.0.0.2 or host 10.0.0.3"

Resources